sbom

mpreyskurantov · mpreyskurantov · commit 9ba67f5ec005 · 2026-06-12T11:49:33.000+03:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: read
+  packages: read
   id-token: write
 
 jobs:
@@ -41,5 +42,42 @@ jobs:
       - name: Build devextreme-schematics
         run: pnpm --filter devextreme-schematics run build
 
-      - name: Publish packages
-        run: pnpm --filter './packages/*' publish --provenance ${{ inputs['dry-run'] && '--dry-run' || '' }}
+      - name: Pack packages
+        shell: bash
+        run: |
+          mkdir -p artifacts/npm
+
+          package_cli_tgz="$(pnpm --filter devextreme-cli pack --json --pack-destination artifacts/npm | jq -er '.filename')"
+          package_schematics_tgz="$(pnpm --filter devextreme-schematics pack --json --pack-destination artifacts/npm | jq -er '.filename')"
+
+          echo "PACKAGE_CLI_TGZ=$package_cli_tgz" >> "$GITHUB_ENV"
+          echo "PACKAGE_SCHEMATICS_TGZ=$package_schematics_tgz" >> "$GITHUB_ENV"
+
+      - name: Upload packages
+        uses: actions/upload-artifact@v7
+        with:
+          name: packages
+          path: artifacts/npm/*.tgz
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Build SBOMs
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN"
+          cd tools/make-sbom && pnpm install --frozen-lockfile && pnpm run make-sbom-hashed
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@v7
+        with:
+          name: sbom
+          path: tools/make-sbom/dist
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Publish devextreme-schematics
+        run: pnpm publish "$PACKAGE_SCHEMATICS_TGZ" --provenance ${{ inputs['dry-run'] && '--dry-run' || '' }}
+
+      - name: Publish devextreme-cli
+        run: pnpm publish "$PACKAGE_CLI_TGZ" --provenance ${{ inputs['dry-run'] && '--dry-run' || '' }}
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -0,0 +1,73 @@
+name: SBOM
+
+on:
+  push:
+    branches:
+      - sbom-dev
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  sbom:
+    if: ${{ github.event_name == 'push' && github.ref_type == 'branch' && github.ref_name == 'sbom-dev' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Get sources
+        uses: actions/checkout@v4
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v6
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.node-version'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Test devextreme-schematics
+        run: pnpm --filter devextreme-schematics run test
+
+      - name: Build devextreme-schematics
+        run: pnpm --filter devextreme-schematics run build
+
+      - name: Pack packages
+        shell: bash
+        run: |
+          mkdir -p artifacts/npm
+
+          package_cli_tgz="$(pnpm --filter devextreme-cli pack --json --pack-destination artifacts/npm | jq -er '.filename')"
+          package_schematics_tgz="$(pnpm --filter devextreme-schematics pack --json --pack-destination artifacts/npm | jq -er '.filename')"
+
+          echo "PACKAGE_CLI_TGZ=$package_cli_tgz" >> "$GITHUB_ENV"
+          echo "PACKAGE_SCHEMATICS_TGZ=$package_schematics_tgz" >> "$GITHUB_ENV"
+
+      - name: Upload packages
+        uses: actions/upload-artifact@v7
+        with:
+          name: packages
+          path: artifacts/npm/*.tgz
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Build SBOMs
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN"
+          cd tools/make-sbom && pnpm install --frozen-lockfile && pnpm run make-sbom-hashed
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@v7
+        with:
+          name: sbom
+          path: tools/make-sbom/dist
+          if-no-files-found: error
+          retention-days: 1
+  
diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,7 @@
 **/npm-debug.log*
 **/pnpm-debug.log*
 **/yarn-error.log*
+dist/
 packages/devextreme-cli/testing/sandbox/
 packages/devextreme-cli/testing/__tests__/__diff_snapshots__/
 
diff --git a/tools/make-sbom/.npmrc b/tools/make-sbom/.npmrc
@@ -0,0 +1 @@
+@devexpress:registry=https://npm.pkg.github.com
diff --git a/tools/make-sbom/package.json b/tools/make-sbom/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "devextreme-cli-monorepo-sbom",
+  "version": "1.2.7",
+  "packageManager": "pnpm@11.5.1",
+  "private": true,
+  "devDependencies": {
+    "@devexpress/sbom-toolkit": "0.11.1"
+  },
+  "scripts": {
+    "make-sbom": "rm -rf dist/ && pnpm dx-make-sbom ../../ dist/ devextreme-schematics,devextreme-cli",
+    "make-sbom-hashed": "pnpm dx-make-sbom ../../ dist/ devextreme-cli(../../artifacts/npm/$PACKAGE_CLI_TGZ),devextreme-schematics(../../artifacts/npm/$PACKAGE_SCHEMATICS_TGZ)"
+  }
+}
diff --git a/tools/make-sbom/pnpm-lock.yaml b/tools/make-sbom/pnpm-lock.yaml
diff --git a/tools/make-sbom/pnpm-workspace.yaml b/tools/make-sbom/pnpm-workspace.yaml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+@devexpress:registry=https://npm.pkg.github.com`