From 307ba101e84633efc9f33391c7352b45a8cca494 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 17 Jan 2026 22:25:28 +0000 Subject: [PATCH 1/3] Initial plan From d576471e4e15424eba36435cb9eebe4c951ddb7f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 17 Jan 2026 22:29:46 +0000 Subject: [PATCH 2/3] Initial plan for moving SBOM generation after release creation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/daily-regulatory.lock.yml | 2 +- pkg/workflow/data/action_pins.json | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 0d41fc984b8..335ae4d1218 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -167,7 +167,7 @@ jobs: env: TOKEN_CHECK: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} if: env.TOKEN_CHECK != '' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json index 189d80ee30a..9326fe7c8f3 100644 --- a/pkg/workflow/data/action_pins.json +++ b/pkg/workflow/data/action_pins.json @@ -45,6 +45,11 @@ "version": "v6.0.0", "sha": "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53" }, + "actions/github-script@v7": { + "repo": "actions/github-script", + "version": "v7", + "sha": "f28e40c7f34bde8b3046d885e986cb6290c5673b" + }, "actions/github-script@v7.0.1": { "repo": "actions/github-script", "version": "v7.0.1", From b4bdaa7df5971c9894f36b34fbbfc40c34ff17d8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 17 Jan 2026 22:32:45 +0000 Subject: [PATCH 3/3] Move SBOM generation to after release creation - Moved SBOM generation steps (SPDX and CycloneDX) to after release creation - Release is now created with binaries only, SBOM files uploaded separately - Added new step to upload SBOM files to existing release after generation - Updated specs/artifacts.md to reflect SBOM artifacts now uploaded from release job Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/release.lock.yml | 76 ++++++++++++++------------ .github/workflows/release.md | 87 ++++++++++++++++-------------- specs/artifacts.md | 18 +++---- 3 files changed, 99 insertions(+), 82 deletions(-) diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 7551d2250d7..cd08b70f026 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1285,36 +1285,6 @@ jobs: echo "✓ Binaries built successfully" env: RELEASE_TAG: ${{ needs.config.outputs.release_tag }} - - name: Download Go modules - run: go mod download - - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0 - with: - artifact-name: sbom.spdx.json - format: spdx-json - output-file: sbom.spdx.json - - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0 - with: - artifact-name: sbom.cdx.json - format: cyclonedx-json - output-file: sbom.cdx.json - - name: Audit SBOM files for secrets - run: | - echo "Auditing SBOM files for potential secrets..." - if grep -rE "GITHUB_TOKEN|SECRET|PASSWORD|API_KEY|PRIVATE_KEY" sbom.*.json; then - echo "Error: Potential secrets found in SBOM files" - exit 1 - fi - echo "✓ No secrets detected in SBOM files" - - name: Upload SBOM artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: sbom-artifacts - path: | - sbom.spdx.json - sbom.cdx.json - retention-days: 7 - name: Setup Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GitHub Container Registry @@ -1365,18 +1335,16 @@ jobs: run: | echo "Creating GitHub release: $RELEASE_TAG" - # Create release with all binaries + # Create release with binaries (SBOM files will be added later) RELEASE_ARGS=() if [ "$DRAFT_MODE" = "true" ]; then RELEASE_ARGS+=(--draft) echo "Creating draft release" fi - # Create the release and upload all artifacts + # Create the release and upload binaries gh release create "$RELEASE_TAG" \ dist/* \ - sbom.spdx.json \ - sbom.cdx.json \ --title "$RELEASE_TAG" \ --generate-notes \ "${RELEASE_ARGS[@]}" @@ -1391,6 +1359,46 @@ jobs: DRAFT_MODE: ${{ needs.config.outputs.draft_mode }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE_TAG: ${{ needs.config.outputs.release_tag }} + - name: Download Go modules + run: go mod download + - name: Generate SBOM (SPDX format) + uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0 + with: + artifact-name: sbom.spdx.json + format: spdx-json + output-file: sbom.spdx.json + - name: Generate SBOM (CycloneDX format) + uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0 + with: + artifact-name: sbom.cdx.json + format: cyclonedx-json + output-file: sbom.cdx.json + - name: Audit SBOM files for secrets + run: | + echo "Auditing SBOM files for potential secrets..." + if grep -rE "GITHUB_TOKEN|SECRET|PASSWORD|API_KEY|PRIVATE_KEY" sbom.*.json; then + echo "Error: Potential secrets found in SBOM files" + exit 1 + fi + echo "✓ No secrets detected in SBOM files" + - name: Upload SBOM artifacts + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: sbom-artifacts + path: | + sbom.spdx.json + sbom.cdx.json + retention-days: 7 + - name: Upload SBOM files to release + run: | + echo "Uploading SBOM files to release: $RELEASE_TAG" + gh release upload "$RELEASE_TAG" \ + sbom.spdx.json \ + sbom.cdx.json + echo "✓ SBOM files uploaded to release" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ needs.config.outputs.release_tag }} safe_outputs: needs: diff --git a/.github/workflows/release.md b/.github/workflows/release.md index b3a2e16addf..55c1eb5581f 100644 --- a/.github/workflows/release.md +++ b/.github/workflows/release.md @@ -158,41 +158,6 @@ jobs: bash scripts/build-release.sh "$RELEASE_TAG" echo "✓ Binaries built successfully" - - name: Download Go modules - run: go mod download - - - name: Generate SBOM (SPDX format) - uses: anchore/sbom-action@v0 - with: - artifact-name: sbom.spdx.json - output-file: sbom.spdx.json - format: spdx-json - - - name: Generate SBOM (CycloneDX format) - uses: anchore/sbom-action@v0 - with: - artifact-name: sbom.cdx.json - output-file: sbom.cdx.json - format: cyclonedx-json - - - name: Audit SBOM files for secrets - run: | - echo "Auditing SBOM files for potential secrets..." - if grep -rE "GITHUB_TOKEN|SECRET|PASSWORD|API_KEY|PRIVATE_KEY" sbom.*.json; then - echo "Error: Potential secrets found in SBOM files" - exit 1 - fi - echo "✓ No secrets detected in SBOM files" - - - name: Upload SBOM artifacts - uses: actions/upload-artifact@v6 - with: - name: sbom-artifacts - path: | - sbom.spdx.json - sbom.cdx.json - retention-days: 7 # Minimize exposure window - - name: Setup Docker Buildx uses: docker/setup-buildx-action@v3 @@ -253,18 +218,16 @@ jobs: run: | echo "Creating GitHub release: $RELEASE_TAG" - # Create release with all binaries + # Create release with binaries (SBOM files will be added later) RELEASE_ARGS=() if [ "$DRAFT_MODE" = "true" ]; then RELEASE_ARGS+=(--draft) echo "Creating draft release" fi - # Create the release and upload all artifacts + # Create the release and upload binaries gh release create "$RELEASE_TAG" \ dist/* \ - sbom.spdx.json \ - sbom.cdx.json \ --title "$RELEASE_TAG" \ --generate-notes \ "${RELEASE_ARGS[@]}" @@ -276,6 +239,52 @@ jobs: echo "✓ Release ID: $RELEASE_ID" echo "✓ Draft mode: $DRAFT_MODE" + - name: Download Go modules + run: go mod download + + - name: Generate SBOM (SPDX format) + uses: anchore/sbom-action@v0 + with: + artifact-name: sbom.spdx.json + output-file: sbom.spdx.json + format: spdx-json + + - name: Generate SBOM (CycloneDX format) + uses: anchore/sbom-action@v0 + with: + artifact-name: sbom.cdx.json + output-file: sbom.cdx.json + format: cyclonedx-json + + - name: Audit SBOM files for secrets + run: | + echo "Auditing SBOM files for potential secrets..." + if grep -rE "GITHUB_TOKEN|SECRET|PASSWORD|API_KEY|PRIVATE_KEY" sbom.*.json; then + echo "Error: Potential secrets found in SBOM files" + exit 1 + fi + echo "✓ No secrets detected in SBOM files" + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v6 + with: + name: sbom-artifacts + path: | + sbom.spdx.json + sbom.cdx.json + retention-days: 7 # Minimize exposure window + + - name: Upload SBOM files to release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ needs.config.outputs.release_tag }} + run: | + echo "Uploading SBOM files to release: $RELEASE_TAG" + gh release upload "$RELEASE_TAG" \ + sbom.spdx.json \ + sbom.cdx.json + echo "✓ SBOM files uploaded to release" + steps: - name: Setup environment and fetch release data env: diff --git a/specs/artifacts.md b/specs/artifacts.md index 24745191b57..0bc25afb626 100644 --- a/specs/artifacts.md +++ b/specs/artifacts.md @@ -93,14 +93,6 @@ This section provides an overview of artifacts organized by job name, with dupli - **Download paths**: `/tmp/gh-aw/threat-detection/` - **Used in**: 63 workflow(s) - agent-performance-analyzer.md, agent-persona-explorer.md, archie.md, brave.md, breaking-change-checker.md, campaign-generator.md, changeset.md, ci-coach.md, ci-doctor.md, cli-consistency-checker.md, cloclo.md, code-scanning-fixer.md, commit-changes-analyzer.md, copilot-pr-merged-report.md, copilot-pr-nlp-analysis.md, craft.md, daily-choice-test.md, daily-copilot-token-report.md, daily-fact.md, daily-file-diet.md, daily-issues-report.md, daily-news.md, daily-observability-report.md, daily-repo-chronicle.md, deep-report.md, dependabot-go-checker.md, dev-hawk.md, dev.md, dictation-prompt.md, github-mcp-structural-analysis.md, glossary-maintainer.md, go-fan.md, go-pattern-detector.md, grumpy-reviewer.md, hourly-ci-cleaner.md, issue-classifier.md, issue-triage-agent.md, layout-spec-maintainer.md, mergefest.md, notion-issue-summary.md, pdf-summary.md, plan.md, poem-bot.md, pr-nitpick-reviewer.md, python-data-charts.md, q.md, release.md, repo-audit-analyzer.md, repository-quality-improver.md, research.md, scout.md, security-compliance.md, security-review.md, slide-deck-maintainer.md, stale-repo-identifier.md, super-linter.md, technical-doc-writer.md, tidy.md, typist.md, video-analyzer.md, weekly-issue-summary.md, workflow-generator.md, workflow-health-manager.md -### Job: `generate-sbom` - -**Artifacts Uploaded:** - -- `sbom-artifacts` - - **Paths**: `sbom.cdx.json`, `sbom.spdx.json` - - **Used in**: 1 workflow(s) - release.md - ### Job: `notion_add_comment` **Artifacts Downloaded:** @@ -117,6 +109,14 @@ This section provides an overview of artifacts organized by job name, with dupli - **Download paths**: `/tmp/gh-aw/repo-memory/default` - **Used in**: 8 workflow(s) - agent-performance-analyzer.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-news.md, deep-report.md, metrics-collector.md, security-compliance.md, workflow-health-manager.md +### Job: `release` + +**Artifacts Uploaded:** + +- `sbom-artifacts` + - **Paths**: `sbom.cdx.json`, `sbom.spdx.json` + - **Used in**: 1 workflow(s) - release.md + ### Job: `safe_outputs` **Artifacts Downloaded:** @@ -3703,7 +3703,7 @@ This section provides an overview of artifacts organized by job name, with dupli - **Download path**: `/tmp/gh-aw/threat-detection/` - **Depends on jobs**: [agent] -#### Job: `generate-sbom` +#### Job: `release` **Uploads:**