name: SBOM
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
jobs:
generate:
name: Generate CycloneDX SBOM
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Install stable Rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
rustflags: ""
cache-workspaces: |
. -> target
- name: Install cargo-cyclonedx
run: cargo install cargo-cyclonedx --locked
- name: Generate CycloneDX JSON SBOM
shell: bash
run: |
cargo cyclonedx \
--manifest-path Cargo.toml \
--all-features \
--format json \
--spec-version 1.5 \
--override-filename sbom.cyclonedx
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-cyclonedx
path: sbom.cyclonedx.json
if-no-files-found: error