1- name : Generate and Sign SBOM
1+ name : Build Hugo Site And Generate SBOM
22
33on :
44 push :
5- branches : [main, add-sbom-workflow]
6- # Allows you to run this workflow manually from the Actions tab
5+ branches :
6+ - main
7+
78 workflow_dispatch :
89
910env :
1011 COMPONENT_NAME : shiftleftcyber.github.io
1112 COMPONENT_VERSION : ${{ github.sha }}
13+ # Latest versions as of 2025-10-14
14+ GO_VERSION : 1.25.3
15+ HUGO_VERSION : 0.151.0
16+ NODE_VERSION : 24.10.0
17+ TZ : America/Toronto
18+
19+ permissions :
20+ contents : read
21+ pages : write
22+ id-token : write
23+
24+ concurrency :
25+ group : " pages"
26+ cancel-in-progress : false
27+
28+ defaults :
29+ run :
30+ shell : bash
1231
1332jobs :
14- sbom :
33+ build :
1534 runs-on : ubuntu-latest
16- permissions :
17- actions : read
18- contents : write
19-
2035 steps :
21- - name : Checkout repository
22- uses : actions/checkout@v4
36+ - name : Checkout
37+ uses : actions/checkout@v5
38+ with :
39+ submodules : recursive
40+ fetch-depth : 0
41+ - name : Setup Go
42+ uses : actions/setup-go@v5
43+ with :
44+ go-version : ${{ env.GO_VERSION }}
45+ cache : false
46+ - name : Setup Node.js
47+ uses : actions/setup-node@v4
48+ with :
49+ node-version : ${{ env.NODE_VERSION }}
50+ - name : Setup Pages
51+ id : pages
52+ uses : actions/configure-pages@v5
53+ - name : Create directory for user-specific executable files
54+ run : |
55+ mkdir -p "${HOME}/.local"
56+ name : Install Hugo
57+ run : |
58+ curl -sLJO "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
59+ mkdir "${HOME}/.local/hugo"
60+ tar -C "${HOME}/.local/hugo" -xf "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
61+ rm "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
62+ echo "${HOME}/.local/hugo" >> "${GITHUB_PATH}"
63+ name : Verify installations
64+ run : |
65+ echo "Go: $(go version)"
66+ echo "Hugo: $(hugo version)"
67+ echo "Node.js: $(node --version)"
68+ name : Install Node.js dependencies
69+ run : |
70+ [[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true
71+ name : Configure Git
72+ run : |
73+ git config core.quotepath false
74+ name : Cache restore
75+ id : cache-restore
76+ uses : actions/cache/restore@v4
77+ with :
78+ path : ${{ runner.temp }}/hugo_cache
79+ key : hugo-${{ github.run_id }}
80+ restore-keys :
81+ hugo-
82+ - name : Build the site
83+ run : |
84+ hugo \
85+ --gc \
86+ --minify \
87+ --baseURL "${{ steps.pages.outputs.base_url }}/" \
88+ --cacheDir "${{ runner.temp }}/hugo_cache"
89+ name : Cache save
90+ id : cache-save
91+ uses : actions/cache/save@v4
92+ with :
93+ path : ${{ runner.temp }}/hugo_cache
94+ key : ${{ steps.cache-restore.outputs.cache-primary-key }}
95+ - name : Upload artifact
96+ uses : actions/upload-pages-artifact@v3
97+ with :
98+ path : ./public
2399
100+ # SBOM Generation job
101+ generate-sbom :
102+ runs-on : ubuntu-latest
103+ needs : build
104+ steps :
24105 - name : Generate SBOM with Syft
25106 uses : anchore/sbom-action@v0.20.6
26107 with :
27108 path : ./marketing/
28109 format : cyclonedx-json
29110 artifact-name : ${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.json
111+ - name : Archive
112+ uses : actions/upload-artifact@v4
113+ with :
114+ name : secure-sbom-api-sbom
115+ path : ${{ github.workspace }}/${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.json
116+ retention-days : 5
117+ - name : Sign SBOM
118+ uses : shiftleftcyber/secure-sbom-action@v1.3.1
119+ with :
120+ sbom_file : ${{ github.workspace }}/${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.json
121+ secure_sbom_action : sign
122+ api_key : ${{ secrets.SBOM_API_KEY }}
123+ key_id : ${{ secrets.SECURE_SBOM_KEYID }}
124+
125+ - name : Archive (Signed SBOM)
126+ uses : actions/upload-artifact@v4
127+ with :
128+ name : secure-sbom-api-signed-sbom
129+ path : ${{ github.workspace }}/${{ env.COMPONENT_NAME }}.${{ env.COMPONENT_VERSION }}.sbom.cdx.signed.json
130+ retention-days : 5
131+
0 commit comments