action.yml

name: "CycloneDX SBOM action"
description: "Generate CycloneDX SBOM with Syft"

inputs:
  image:
    required: true
    description: "The Docker image to scan."
    # i.e: "example/image_name:tag"
  filename:
    required: true
    description: "The generated SBOM file name"
  upload-artifact:
    required: false
    description: "Attach the SBOM to the workflow"
    default: "true"
  upload-release-assets:
    required: false
    description: "Attach the SBOM to the release"
    default: "true"
  syft-version:
    required: false
    description: "Syft version"
    default: v0.105.0

runs:
  using: "composite"
  steps:
    - uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
      with:
        image: ${{ inputs.image }}
        artifact-name: ${{ inputs.filename }}
        output-file: ${{ inputs.filename }}
        format: cyclonedx-json
        syft-version: ${{ inputs.syft-version }}
        upload-artifact: ${{ inputs.upload-artifact }}
        upload-release-assets: ${{ inputs.upload-release-assets }}
      env:
        SYFT_QUIET: true
    - name: Sign CycloneDX SBOM
      if: inputs.upload-artifact == 'true' && env.GPG_PRIVATE_KEY_PASSPHRASE && env.GPG_PRIVATE_KEY_BASE64
      shell: bash
      run: |
        export GNUPGHOMEDIR=gnupg/
        mkdir --parent "${GNUPGHOMEDIR}"
        echo "${GPG_PRIVATE_KEY_PASSPHRASE}" | gpg --batch --pinentry-mode loopback --passphrase-fd 0 --quiet --import <(echo "${GPG_PRIVATE_KEY_BASE64}")
        echo "${GPG_PRIVATE_KEY_PASSPHRASE}" | gpg --batch --pinentry-mode loopback --passphrase-fd 0 --quiet --detach-sign --armor "${{ inputs.filename }}"
        rm -rf "${GNUPGHOMEDIR}"
    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
      if: inputs.upload-artifact == 'true'
      with:
        name: "${{ inputs.filename }}"
        path: |
          ${{ inputs.filename }}
          ${{ inputs.filename }}.asc
        overwrite: true
    - name: Upload binaries to release
      if: inputs.upload-release-assets == 'true' && startsWith(github.ref, 'refs/tags/')
      uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
      with:
        repo_token: ${{ github.token }}
        file_glob: true
        file: "${{ inputs.filename }}?(.asc)"
        tag: ${{ github.ref }}
        overwrite: true