CLDC-4473: Add pipeline steps for SBOM tracking and upload (#3351)

* feat: add sbom pipeline step using dependency-track skill * Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2 days ago · 18d681397e
4 changed files with 77 additions and 0 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@ -0,0 +1,5 @@
+{
+  "enabledPlugins": {
+    "dependency-track@skillwire": true
+  }
+}
--- a/.github/workflows/production_pipeline.yml
+++ b/.github/workflows/production_pipeline.yml
@ -20,3 +20,14 @@ jobs:
      release_tag: ${{ needs.test.outputs.releasetag }}
    permissions:
      id-token: write
+
+  sbom:
+    name: Upload SBOM
+    needs: [aws_deploy]
+    permissions:
+      contents: read
+    uses: ./.github/workflows/upload-sbom.yml
+    with:
+      projectversion: prod
+    secrets:
+      DTRACK_API_KEY: ${{ secrets.DTRACK_API_KEY }}
--- a/.github/workflows/staging_pipeline.yml
+++ b/.github/workflows/staging_pipeline.yml
@ -32,6 +32,15 @@ jobs:
    permissions:
      id-token: write

+  sbom:
+    name: Upload SBOM
+    needs: [aws_deploy]
+    uses: ./.github/workflows/upload-sbom.yml
+    with:
+      projectversion: staging
+    secrets:
+      DTRACK_API_KEY: ${{ secrets.DTRACK_API_KEY }}
+
  performance:
    needs: [aws_deploy]
    runs-on: ubuntu-latest
--- a/.github/workflows/upload-sbom.yml
+++ b/.github/workflows/upload-sbom.yml
@ -0,0 +1,52 @@
+name: Upload SBOM
+
+# Generates a CycloneDX SBOM with Syft (auto-detects both the Ruby gems in
+# Gemfile.lock and the Node packages in yarn.lock) and uploads it to
+# Dependency-Track. Called from the staging and production pipelines after a
+# successful deploy.
+
+on:
+  workflow_call:
+    inputs:
+      projectversion:
+        required: true
+        type: string
+    secrets:
+      DTRACK_API_KEY:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  sbom:
+    name: Generate and upload SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - run: |
+          echo "SYFT_VERSION=v1.45.0" >> "$GITHUB_ENV"
+          echo "SYFT_SCRIPT_SHA=9673f867e50398b5d25ec97ff051a451c46d262c" >> "$GITHUB_ENV"
+
+      - uses: actions/cache@v4
+        with:
+          path: /usr/local/bin/syft
+          key: syft-${{ env.SYFT_VERSION }}
+
+      - name: Install Syft
+        run: |
+          [ -f /usr/local/bin/syft ] || \
+            curl -sSfL "https://raw.githubusercontent.com/anchore/syft/${SYFT_SCRIPT_SHA}/install.sh" | sh -s -- -b /usr/local/bin "$SYFT_VERSION"
+
+      - run: syft . -o cyclonedx-xml=bom.xml
+
+      - uses: DependencyTrack/gh-upload-sbom@v3
+        with:
+          serverhostname: api-deps.softwire.com
+          apikey: ${{ secrets.DTRACK_API_KEY }}
+          autocreate: true
+          projectname: CORE
+          projectversion: ${{ inputs.projectversion }}
+          parentname: Support
+          bomfilename: bom.xml