Skip to content

fix(sbom): replace DependencyTrack/gh-upload-sbom node20 action with curl#80

Merged
pgmac merged 1 commit into
mainfrom
fix/replace-dtrack-node20-action
Jun 14, 2026
Merged

fix(sbom): replace DependencyTrack/gh-upload-sbom node20 action with curl#80
pgmac merged 1 commit into
mainfrom
fix/replace-dtrack-node20-action

Conversation

@pgmac

@pgmac pgmac commented Jun 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • DependencyTrack/gh-upload-sbom@v3 (latest: v3.1.0) uses node20 runtime — deprecated in GitHub Actions, no upstream fix exists
  • Replaces the action with an equivalent run: step using base64 + jq + curl
  • Replicates the same PUT /api/v1/bom JSON payload the action sends: projectName, projectVersion, autoCreate: true, bom (base64, UTF-8 BOM stripped), projectTags (comma-separated → [{name}] array)
  • All secrets via env: vars — no injection risk

All other actions in the workflows are already on node24 or composite.

Test plan

  • Trigger SBOM workflow — "Upload SBoM to Dependency Track" step succeeds
  • Project appears/updates in DTrack UI with correct tags
  • No node20 deprecation warnings in workflow run

🤖 Generated with Claude Code

…curl

DependencyTrack/gh-upload-sbom@v3 (latest: v3.1.0) uses node20 runtime,
which is deprecated in GitHub Actions. No node22+ release exists upstream.

Replaces the action with an equivalent run: step using base64 + jq + curl,
replicating the same PUT /api/v1/bom JSON payload including projectTags.
All secrets passed through env: vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pgmac pgmac requested a review from a team as a code owner June 14, 2026 07:47
@pgmac pgmac merged commit 5038ef3 into main Jun 14, 2026
2 checks passed
@pgmac pgmac deleted the fix/replace-dtrack-node20-action branch June 14, 2026 07:50
@github-actions

Copy link
Copy Markdown

SBoM Vulnerability Scan Results

Scan Summary:

  • Total vulnerabilities found: 1
  • Critical: 0
  • High: 1
  • Medium: 0

SBoM Details:

  • Generated from commit: d33b789
  • SBoM format: CycloneDX
  • Repository: pgmac-net/pg-actions

View full SARIF report

This comment will be updated on each commit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant