Skip to content

CDXA validation

CDXA validation #9

Workflow file for this run

# ********************************************************************************
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made
# available under the terms of the Apache Software License 2.0
# which is available at https://www.apache.org/licenses/LICENSE-2.0.
#
# SPDX-License-Identifier: Apache-2.0
# ********************************************************************************
---
name: Validate CycloneDX CDXA
on:
pull_request:
branches: [main]
paths:
- ".github/workflows/validate-cdxa.yml"
- "**/*.xml"
# Cancel existing runs if user makes another push.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
validate_and_verify_cyclonedx_cdxa:
name: validate_cdxa
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download cyclonedx-cli
run: |
curl -L -O https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64
chmod +x cyclonedx-linux-x64
- name: Validate CDXA documents using cyclonedx-cli
run: |
XML_FILES=$(gh pr view "$PR_NUMBER" --repo "$REPOSITORY" --json files | jq -r '.files[] | .path' | grep "\.xml$")
echo "$XML_FILES" | while read XML_FILE; do
echo "CycloneDX validating file: $XML_FILE"
./cyclonedx-linux-x64 validate --input-file "$XML_FILE" --fail-on-errors --input-version v1_6
echo "Verifying Signature of file: $XML_FILE using public key $XML_FILE.sign.pub"
./cyclonedx-linux-x64 verify all "$XML_FILE" --key-file "$XML_FILE.sign.pub"
done
env:
REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}