Skip to content

Extract SBOMs generation and upload to a separate reusable workflow #4827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ahmedxgouda wants to merge 2 commits into from
Closed

Extract SBOMs generation and upload to a separate reusable workflow #4827

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6fcb30d
Extract SBOMs generation and upload to a separate reusable workflow
ahmedxgouda Jun 4, 2026
27998fe
Update cspell
ahmedxgouda Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 40 additions & 5 deletions .github/workflows/run-ci-cd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,7 @@ jobs:
- build-staging-images
- set-release-version
permissions:
actions: write
contents: write
contents: read
uses: ./.github/workflows/scan-images.yaml
with:
aws_role_name: nest-staging-terraform
Expand All @@ -142,6 +141,23 @@ jobs:
frontend_ecr_repo: nest-staging-frontend
release_version: ${{ needs.set-release-version.outputs.release_version }}

upload-staging-sboms:
name: Upload Staging SBOMs
needs:
- scan-staging-images
- set-release-version
permissions:
actions: write
contents: write

@cubic-dev-ai cubic-dev-ai Bot Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Staging SBOM upload job is over-privileged with contents: write; use read-only contents permission for least privilege.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/run-ci-cd.yaml, line 151:

<comment>Staging SBOM upload job is over-privileged with `contents: write`; use read-only contents permission for least privilege.</comment>

<file context>
@@ -142,6 +141,23 @@ jobs:
+      - set-release-version
+    permissions:
+      actions: write
+      contents: write
+    uses: ./.github/workflows/upload-sboms.yaml
+    with:
</file context>

uses: ./.github/workflows/upload-sboms.yaml
with:
aws_role_name: nest-staging-terraform
aws_role_session_name: GitHubActions-UploadStagingSBOMs
backend_ecr_repo: nest-staging-backend
environment: staging
frontend_ecr_repo: nest-staging-frontend
release_version: ${{ needs.set-release-version.outputs.release_version }}

bootstrap-nest-staging-infrastructure:
name: Bootstrap Nest Staging Infrastructure
if: |
Expand Down Expand Up @@ -236,16 +252,35 @@ jobs:
- build-production-images
- set-release-version
permissions:
# Broader than typical scan jobs: required for "Upload SBOMs" (gh release upload).
actions: write
contents: write
contents: read
uses: ./.github/workflows/scan-images.yaml
with:
aws_role_name: nest-production-terraform
aws_role_session_name: GitHubActions-ScanProductionImages
backend_ecr_repo: nest-production-backend
environment: production
frontend_ecr_repo: nest-production-frontend
release_version: ${{ needs.set-release-version.outputs.release_version }}

upload-production-sboms:

@cubic-dev-ai cubic-dev-ai Bot Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Extracting SBOM upload into separate jobs removed deploy gating on SBOM success; deploy can proceed even when SBOM generation/upload fails.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/run-ci-cd.yaml, line 265:

<comment>Extracting SBOM upload into separate jobs removed deploy gating on SBOM success; deploy can proceed even when SBOM generation/upload fails.</comment>

<file context>
@@ -236,16 +252,35 @@ jobs:
       frontend_ecr_repo: nest-production-frontend
+      release_version: ${{ needs.set-release-version.outputs.release_version }}
+
+  upload-production-sboms:
+    name: Upload Production SBOMs
+    if: |
</file context>

name: Upload Production SBOMs
if: |
github.repository == 'OWASP/Nest' &&
github.event_name == 'release' &&
github.event.action == 'published'
needs:
- scan-production-images
- set-release-version
permissions:
actions: write
contents: write
uses: ./.github/workflows/upload-sboms.yaml
with:
aws_role_name: nest-production-terraform
aws_role_session_name: GitHubActions-UploadProductionSBOMs
backend_ecr_repo: nest-production-backend
environment: production
frontend_ecr_repo: nest-production-frontend
release_tag: ${{ github.event.release.tag_name }}
release_version: ${{ needs.set-release-version.outputs.release_version }}

Expand Down
37 changes: 1 addition & 36 deletions .github/workflows/scan-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,6 @@ on:
description: Frontend ECR repository name
required: true
type: string
release_tag:
description: Release tag for uploading SBOMs
required: false
type: string
default: ''
release_version:
description: The release version to set
required: true
Expand All @@ -47,10 +42,8 @@ jobs:
}}
FRONTEND_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ inputs.frontend_ecr_repo }}:${{ inputs.release_version
}}
RELEASE_VERSION: ${{ inputs.release_version }}
permissions:
actions: write
contents: write
contents: read
runs-on: ubuntu-latest
steps:
- name: Check out repository
Expand Down Expand Up @@ -84,32 +77,4 @@ jobs:
command: |
make security-scan-backend-image BACKEND_IMAGE_NAME="$BACKEND_IMAGE"
make security-scan-frontend-image FRONTEND_IMAGE_NAME="$FRONTEND_IMAGE"

- name: Generate SBOM for backend image
run: |
make sbom-backend-image BACKEND_IMAGE_NAME="$BACKEND_IMAGE"

- name: Generate SBOM for frontend image
run: |
make sbom-frontend-image FRONTEND_IMAGE_NAME="$FRONTEND_IMAGE"

- name: Upload SBOMs to release
if: ${{ inputs.environment == 'production' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE_VERSION: ${{ inputs.release_version }}
RELEASE_TAG: ${{ inputs.release_tag }}
run: |
gh release upload "$RELEASE_TAG" \
"backend-sbom-$RELEASE_VERSION.cdx.json" \
"frontend-sbom-$RELEASE_VERSION.cdx.json"

- name: Upload SBOMs as artifact
if: ${{ inputs.environment == 'staging' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: staging-sbom-${{ env.RELEASE_VERSION }}
path: |
backend-sbom-${{ env.RELEASE_VERSION }}.cdx.json
frontend-sbom-${{ env.RELEASE_VERSION }}.cdx.json
timeout-minutes: 10
108 changes: 108 additions & 0 deletions .github/workflows/upload-sboms.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
name: Upload SBOMs

on:
workflow_call:
inputs:
aws_role_name:
description: AWS role name to assume
required: true
type: string
aws_role_session_name:
description: AWS role session name
required: true
type: string
backend_ecr_repo:
description: Backend ECR repository name
required: true
type: string
environment:
description: The workflow environment (e.g., staging, production)
required: true
type: string
frontend_ecr_repo:
description: Frontend ECR repository name
required: true
type: string
release_tag:
description: Release tag for uploading SBOMs
required: false
type: string
default: ''
release_version:
description: The release version to use
required: true
type: string

env:
FORCE_COLOR: 1

permissions: {}

jobs:
upload-sboms:
name: Upload SBOMs
environment: ${{ inputs.environment }}
env:
BACKEND_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ inputs.backend_ecr_repo }}:${{ inputs.release_version
}}
FRONTEND_IMAGE: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/${{ inputs.frontend_ecr_repo }}:${{ inputs.release_version
}}
RELEASE_VERSION: ${{ inputs.release_version }}
permissions:
actions: write
contents: write
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-region: ${{ vars.AWS_REGION }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-duration-seconds: 3600
role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
role-session-name: ${{ inputs.aws_role_session_name }}
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.aws_role_name }}

- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5

- name: Pull container images
run: |
docker pull "$BACKEND_IMAGE"
docker pull "$FRONTEND_IMAGE"

- name: Generate SBOM for backend image
run: |
make sbom-backend-image BACKEND_IMAGE_NAME="$BACKEND_IMAGE"

- name: Generate SBOM for frontend image
run: |
make sbom-frontend-image FRONTEND_IMAGE_NAME="$FRONTEND_IMAGE"

- name: Upload SBOMs to release
if: ${{ inputs.environment == 'production' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE_VERSION: ${{ inputs.release_version }}
RELEASE_TAG: ${{ inputs.release_tag }}
run: |
gh release upload "$RELEASE_TAG" \

@cubic-dev-ai cubic-dev-ai Bot Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: release_tag is optional, but production upload always requires it; this can make the production SBOM upload fail at runtime when the input is omitted.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/upload-sboms.yaml, line 96:

<comment>`release_tag` is optional, but production upload always requires it; this can make the production SBOM upload fail at runtime when the input is omitted.</comment>

<file context>
@@ -0,0 +1,108 @@
+          RELEASE_VERSION: ${{ inputs.release_version }}
+          RELEASE_TAG: ${{ inputs.release_tag }}
+        run: |
+          gh release upload "$RELEASE_TAG" \
+            "backend-sbom-$RELEASE_VERSION.cdx.json" \
+            "frontend-sbom-$RELEASE_VERSION.cdx.json"
</file context>

"backend-sbom-$RELEASE_VERSION.cdx.json" \
"frontend-sbom-$RELEASE_VERSION.cdx.json"

- name: Upload SBOMs as artifact
if: ${{ inputs.environment == 'staging' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: staging-sbom-${{ env.RELEASE_VERSION }}
path: |
backend-sbom-${{ env.RELEASE_VERSION }}.cdx.json
frontend-sbom-${{ env.RELEASE_VERSION }}.cdx.json
timeout-minutes: 10
1 change: 1 addition & 0 deletions cspell/custom-dict.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,7 @@ saft
sakanashi
samm
sbom
sboms
schemathesis
semgrep
seo
Expand Down
Loading