.github/workflows/sbom.yaml

name: Validate SBOMs

on:
  pull_request:
    branches: ['main']

jobs:
  go-version-m:
    name: Generate go version -m
    runs-on: ubuntu-latest

    env:
      KO_DOCKER_REPO: localhost:1338

    steps:
      - uses: actions/setup-go@v3
        with:
          go-version: 1.17
          check-latest: true
      - uses: chainguard-dev/actions/setup-registry@main
      - uses: actions/checkout@v3

      - name: Generate
        run: |
          img=$(go run ./ build ./)
          go run ./ deps $img --sbom=go.version-m > gomod.txt
          cat gomod.txt

  cyclonedx:
    name: Validate CycloneDX SBOM
    runs-on: ubuntu-latest

    env:
      KO_DOCKER_REPO: localhost:1338

    steps:
      - uses: actions/setup-go@v3
        with:
          go-version: 1.17
          check-latest: true
      - uses: chainguard-dev/actions/setup-registry@main
      - uses: actions/checkout@v3

      - name: Install CycloneDX
        run: |
          wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.22.0/cyclonedx-linux-x64
          chmod +x cyclonedx-linux-x64

      - name: Generate and Validate
        run: |
          img=$(go run ./ build ./)
          go run ./ deps $img --sbom=cyclonedx > cyclonedx.json
          ./cyclonedx-linux-x64 validate --input-file=cyclonedx.json --fail-on-errors

      - uses: actions/upload-artifact@v3
        if: ${{ always() }}
        with:
          name: cyclonedx.json
          path: cyclonedx.json

  spdx:
    name: Validate SPDX SBOM
    runs-on: ubuntu-latest

    env:
      KO_DOCKER_REPO: localhost:1338

    steps:
      - uses: actions/setup-go@v3
        with:
          go-version: 1.17
          check-latest: true
      - uses: chainguard-dev/actions/setup-registry@main
      - uses: actions/checkout@v3

      - name: Install SPDX Tools
        run: |
          wget https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
          unzip tools-java-1.0.4.zip

      - name: Generate and Validate
        run: |
          img=$(go run ./ build ./)
          go run ./ deps $img --sbom=spdx | tee spdx.json

          java -jar ./tools-java-1.0.4-jar-with-dependencies.jar Verify spdx.json

      - uses: actions/upload-artifact@v3
        if: ${{ always() }}
        with:
          name: spdx.json
          path: spdx.json

  spdx-multi-arch:
    name: Validate SPDX multi-arch SBOM
    runs-on: ubuntu-latest

    env:
      KO_DOCKER_REPO: localhost:1338

    steps:
      - uses: actions/setup-go@v3
        with:
          go-version: 1.17
          check-latest: true
      - uses: chainguard-dev/actions/setup-registry@main
      - uses: actions/checkout@v3

      - name: Install SPDX Tools
        run: |
          wget https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
          unzip tools-java-1.0.4.zip

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.8.0
        with:
          cosign-release: 'v1.7.2'

      - name: Generate and Validate
        run: |
          img=$(go run ./ build --platform=linux/amd64,linux/arm64 ./)
          cosign download sbom $img | tee spdx-multi-arch.json

          java -jar ./tools-java-1.0.4-jar-with-dependencies.jar Verify spdx-multi-arch.json

      - uses: actions/upload-artifact@v3
        if: ${{ always() }}
        with:
          name: spdx-multi-arch.json
          path: spdx-multi-arch.json