From d33b78918a4e3452ed4f5c9c6a22db33150d2585 Mon Sep 17 00:00:00 2001 From: Paul Macdonnell Date: Sun, 14 Jun 2026 17:47:37 +1000 Subject: [PATCH] fix(sbom): replace DependencyTrack/gh-upload-sbom node20 action with curl DependencyTrack/gh-upload-sbom@v3 (latest: v3.1.0) uses node20 runtime, which is deprecated in GitHub Actions. No node22+ release exists upstream. Replaces the action with an equivalent run: step using base64 + jq + curl, replicating the same PUT /api/v1/bom JSON payload including projectTags. All secrets passed through env: vars. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/sbom.yml | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 397d496..6cea35e 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -83,15 +83,27 @@ jobs: push-to-registry: false - name: Upload SBoM to Dependency Track - uses: DependencyTrack/gh-upload-sbom@v3 - with: - serverhostname: "${{ secrets.DT_HOST }}" - apikey: ${{ secrets.DT_APIKEY }} - projectname: ${{ github.repository }} - projectversion: ${{ github.sha }} - projecttags: ${{ github.repository }}, ${{ github.ref_type }}, ${{ github.ref}} - bomfilename: "sbom.json" - autocreate: true + env: + DT_HOST: ${{ secrets.DT_HOST }} + DT_APIKEY: ${{ secrets.DT_APIKEY }} + PROJECT_NAME: ${{ github.repository }} + PROJECT_VERSION: ${{ github.sha }} + PROJECT_TAGS: "${{ github.repository }}, ${{ github.ref_type }}, ${{ github.ref }}" + run: | + BOM_B64=$(base64 -w 0 sbom.json) + [[ "${BOM_B64}" == 77u/* ]] && BOM_B64="${BOM_B64:4}" + TAGS=$(printf '%s' "${PROJECT_TAGS}" | jq -Rc 'split(",") | map(gsub("^ +| +$"; "") | {name: .})') + PAYLOAD=$(jq -n \ + --arg name "${PROJECT_NAME}" \ + --arg version "${PROJECT_VERSION}" \ + --argjson tags "${TAGS}" \ + --arg bom "${BOM_B64}" \ + '{projectName: $name, projectVersion: $version, autoCreate: true, bom: $bom, projectTags: $tags}') + curl -sf -X PUT \ + -H "X-Api-Key: ${DT_APIKEY}" \ + -H "Content-Type: application/json" \ + -d "${PAYLOAD}" \ + "https://${DT_HOST}/api/v1/bom" - name: Get DTrack project URL id: dtrack-url