Add SBOM Generation to Your GitHub Project with Syft

popey · June 25, 2024, 11:54am

I just published a quick blog post about our sbom-action !

Share and enjoy

joshbuker · September 25, 2024, 5:41pm

I have this running on a personal project, but ran into an issue where it fails to upload the SBOM to the release artifacts.

--------------------- Attaching SBOMs to release: ‘v0.0.0’ ---------------------
[…]
Error: Resource not accessible by integration

Is there a config step missing to give the action permission to attach files to releases?

joshbuker · September 25, 2024, 7:04pm

I didn’t RTFM. Looks like there are indeed permissions you need to set.

Working example: https://raw.githubusercontent.com/bigbrainenergy-org/web.tdl.app/refs/heads/main/.github/workflows/docker-publish.yml

Important bits:

jobs:
  build:
    permissions:
      actions: read
      contents: write
    steps:

kzantow · September 25, 2024, 7:05pm

Hey @joshbuker – there is a section about permissions, today which says:

This action needs the following permissions, depending on how it is being used:
contents: write # for sbom-action artifact uploads
If attaching release assets, the actions: read permission is also required. This may be implicit for public repositories, but is likely to be necessary for private repositories.
actions: read # to find workflow artifacts when attaching release assets

Topic		Replies	Views
Upload SBOM using anchorectl General	7	60	September 11, 2024
October 17th \| Open Source Gardening \| Live Stream Announcements video , gardening	2	9	October 17, 2024
November 7th \| Open Source Gardening \| Live Stream Announcements video , gardening	0	12	November 7, 2024
August 8th \| Open Source Gardening \| Live Stream Announcements video , gardening	0	20	August 8, 2024
September 19 \| Open Source Gardening \| Live Stream Announcements video	1	13	September 19, 2024

Add SBOM Generation to Your GitHub Project with Syft

Related topics