NODE-7025: Moving logic to script and action runs it

ekovalets · ekovalets · commit 8ce4ebbb583d · 2026-01-26T04:22:13.000Z
diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml
@@ -1,91 +1,26 @@
 name: Generate SBOM
 description: Generates CycloneDX SBOM using cdxgen
+
 inputs:
   output-file:
     description: "Output filename for the SBOM"
     required: false
     default: "sbom.json"
+
 outputs:
   HAS_CHANGES:
     description: "Whether the SBOM has meaningful changes compared to the existing version"
-    value: ${{ steps.check_changes.outputs.HAS_CHANGES }}
+    value: ${{ steps.generate.outputs.HAS_CHANGES }}
+
 runs:
   using: composite
   steps:
     - name: Generate SBOM
-      id: generate-sbom
-      shell: bash
-      run: |
-        echo "Generating SBOM for 'node' project..."
-        npx @cyclonedx/cyclonedx-npm --omit dev --package-lock-only --output-file sbom-new.json --output-format json --spec-version 1.5
-
-    - name: Validate SBOM presence
-      shell: bash
-      run: |
-        if [ ! -f "sbom-new.json" ]; then
-          echo "Error: SBOM file not found"
-          exit 1
-        fi
-        echo "SBOM file generated: sbom-new.json"
-
-    - name: Download CycloneDX CLI
-      shell: bash
-      run: |
-        curl -L -s -o /tmp/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
-        chmod +x /tmp/cyclonedx
-
-    - name: Validate SBOM
-      shell: bash
-      run: /tmp/cyclonedx validate --input-file sbom-new.json --fail-on-errors
-
-    - name: Check for SBOM changes
-      id: check_changes
-      if: steps.generate-sbom.outcome == 'success'
+      id: generate
       shell: bash
       env:
-        SBOM_FILE: ${{ inputs.output-file }}
-      run: |
-        JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
-
-        if [ -f "$SBOM_FILE" ]; then
-          echo "Comparing new SBOM with existing $SBOM_FILE..."
-
-          # First try cyclonedx diff for component-level comparison
-          DIFF_OUTPUT=$(/tmp/cyclonedx diff "$SBOM_FILE" sbom-new.json --component-versions 2>/dev/null || true)
-
-          if echo "$DIFF_OUTPUT" | grep -q "^None$"; then
-            echo "No component changes detected via cyclonedx diff"
-
-            # Double-check with jq normalization (excludes metadata like timestamps)
-            if diff -q \
-               <(cat "$SBOM_FILE" | jq -r "$JQ_NORMALIZER") \
-               <(cat sbom-new.json | jq -r "$JQ_NORMALIZER") > /dev/null 2>&1; then
-              echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT
-              echo "No meaningful changes detected in SBOM"
-              rm sbom-new.json
-            else
-              echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
-              echo "Changes detected in SBOM (non-component changes)"
-              mv sbom-new.json "$SBOM_FILE"
-            fi
-          else
-            echo "Component changes detected:"
-            echo "$DIFF_OUTPUT"
-            echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
-            mv sbom-new.json "$SBOM_FILE"
-          fi
-        else
-          echo "No existing $SBOM_FILE found, creating initial version"
-          echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
-          mv sbom-new.json "$SBOM_FILE"
-        fi
-      continue-on-error: true
-
-    - name: Final SBOM validation
-      shell: bash
+        SBOM_OUTPUT_FILE: ${{ inputs.output-file }}
       run: |
-        if [ ! -f "${{ inputs.output-file }}" ]; then
-          echo "Error: Final SBOM file not found at ${{ inputs.output-file }}"
-          exit 1
-        fi
-        echo "SBOM file validated: ${{ inputs.output-file }}"
+        SCRIPT_DIR="${{ github.action_path }}"
+        chmod +x "${SCRIPT_DIR}/generate-sbom.sh"
+        "${SCRIPT_DIR}/generate-sbom.sh" "$SBOM_OUTPUT_FILE"
diff --git a/.github/actions/sbom-update/generate-sbom.sh b/.github/actions/sbom-update/generate-sbom.sh
@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+#
+# generate-sbom.sh - Generate and validate CycloneDX SBOM
+#
+# Usage: ./generate-sbom.sh [output-file]
+#
+# Environment variables:
+#   GITHUB_OUTPUT - Path to GitHub Actions output file (optional)
+#
+
+set -euo pipefail
+
+SBOM_FILE="${1:-sbom.json}"
+TEMP_SBOM="sbom-new.json"
+CYCLONEDX_CLI="/tmp/cyclonedx"
+CYCLONEDX_CLI_URL="https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
+JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
+
+echo "Starting SBOM generation (output: $SBOM_FILE)"
+
+echo "Generating SBOM for 'node' project..."
+
+if ! npx @cyclonedx/cyclonedx-npm \
+    --omit dev \
+    --package-lock-only \
+    --output-file "$TEMP_SBOM" \
+    --output-format json \
+    --spec-version 1.5; then
+    echo "ERROR: Failed to generate SBOM" >&2
+    exit 1
+fi
+
+if [[ ! -f "$TEMP_SBOM" ]]; then
+    echo "ERROR: SBOM file not found after generation" >&2
+    exit 1
+fi
+
+echo "SBOM file generated: $TEMP_SBOM"
+
+echo "Downloading CycloneDX CLI..."
+
+if ! curl -L -s -o "$CYCLONEDX_CLI" "$CYCLONEDX_CLI_URL"; then
+    echo "ERROR: Failed to download CycloneDX CLI" >&2
+    exit 1
+fi
+
+chmod +x "$CYCLONEDX_CLI"
+
+if [[ ! -x "$CYCLONEDX_CLI" ]]; then
+    echo "ERROR: CycloneDX CLI is not executable" >&2
+    exit 1
+fi
+
+echo "CycloneDX CLI ready at $CYCLONEDX_CLI"
+
+echo "Validating SBOM: $TEMP_SBOM"
+
+if ! "$CYCLONEDX_CLI" validate --input-file "$TEMP_SBOM" --fail-on-errors; then
+    echo "ERROR: SBOM validation failed for $TEMP_SBOM" >&2
+    exit 1
+fi
+
+echo "SBOM validation passed: $TEMP_SBOM"
+
+echo "Checking for SBOM changes..."
+
+HAS_CHANGES="false"
+
+if [[ ! -f "$SBOM_FILE" ]]; then
+    echo "No existing $SBOM_FILE found, creating initial version"
+    mv "$TEMP_SBOM" "$SBOM_FILE"
+    HAS_CHANGES="true"
+else
+    echo "Comparing new SBOM with existing $SBOM_FILE..."
+
+    # Try cyclonedx diff for component-level comparison
+    DIFF_OUTPUT=$("$CYCLONEDX_CLI" diff "$SBOM_FILE" "$TEMP_SBOM" --component-versions 2>/dev/null || true)
+
+    if echo "$DIFF_OUTPUT" | grep -q "^None$"; then
+        echo "No component changes detected via cyclonedx diff"
+
+        # Double-check with jq normalization (excludes metadata like timestamps)
+        if diff -q \
+            <(jq -r "$JQ_NORMALIZER" < "$SBOM_FILE") \
+            <(jq -r "$JQ_NORMALIZER" < "$TEMP_SBOM") > /dev/null 2>&1; then
+            echo "No meaningful changes detected in SBOM"
+            rm -f "$TEMP_SBOM"
+            HAS_CHANGES="false"
+        else
+            echo "Changes detected in SBOM (non-component changes)"
+            mv "$TEMP_SBOM" "$SBOM_FILE"
+            HAS_CHANGES="true"
+        fi
+    else
+        echo "Component changes detected:"
+        echo "$DIFF_OUTPUT"
+        mv "$TEMP_SBOM" "$SBOM_FILE"
+        HAS_CHANGES="true"
+    fi
+fi
+
+if [[ -n "${GITHUB_OUTPUT:-}" ]]; then
+    echo "HAS_CHANGES=${HAS_CHANGES}" >> "$GITHUB_OUTPUT"
+fi
+echo "Output: HAS_CHANGES=${HAS_CHANGES}"
+
+if [[ ! -f "$SBOM_FILE" ]]; then
+    echo "ERROR: Final SBOM file not found at $SBOM_FILE" >&2
+    exit 1
+fi
+
+echo "SBOM file validated: $SBOM_FILE"
+echo "SBOM generation completed successfully"
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -8,9 +8,6 @@ on:
       - 'package-lock.json'
   workflow_dispatch:
 
-env:
-  SBOM_FILE: "sbom.json"
-
 permissions:
   contents: write
 
@@ -20,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     
     concurrency:
-      group: sbom-${{ github.ref }}
+      group: sbom-update
       cancel-in-progress: false
 
     steps:
@@ -39,14 +36,14 @@ jobs:
         id: generate_sbom
         uses: ./.github/actions/sbom-update
         with:
-          output-file: ${{ env.SBOM_FILE }}
+          output-file: sbom.json
 
       - name: Commit SBOM changes
         if: steps.generate_sbom.outputs.HAS_CHANGES == 'true'
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add ${{ env.SBOM_FILE }}
+          git add sbom.json
           git commit -m "chore(deps): Update SBOM after dependency changes"
           git push
           echo "SBOM updated and committed" >> $GITHUB_STEP_SUMMARY
