gewuyou/GFramework
1
0
Fork 0
mirror of https://github.com/GeWuYou/GFramework.git synced 2026-03-22 10:34:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(ci): 集成Feluda工具实现合规性检查和SBOM生成

Browse Source 
- 在CI工作流中添加Feluda工具设置和合规性文件生成
- 集成SBOM生成功能,支持SPDX和CycloneDX格式
- 添加SBOM文件验证步骤并生成验证报告
- 实现许可证合规工件上传,包含通知文件和第三方许可证
- 更新发布工作流以包含合规性信息和SBOM文件到发布内容
- 修改权限设置以支持内容写入操作
This commit is contained in:
GeWuYou 2026-02-02 15:03:02 +08:00
parent ed51722746
commit 09e194a2bf
2 changed files with 48 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
.github/workflows/ci.yml vendored
View File

@ -9,7 +9,7 @@ on:
branches: [ main, master ]
permissions:
contents: read
contents: write
security-events: write
jobs:
@ -93,37 +93,7 @@ jobs:
fail-on-restrictive: true
fail-on-incompatible: true
update-badge: true
# 生成合规性文件执行两次feluda generate命令
- name: Generate compliance files
run: |
echo "1" | feluda generate
echo "2" | feluda generate
# 生成软件物料清单(SBOM)文件输出SPDX和CycloneDX两种格式
- name: Generate SBOM
run: |
feluda sbom spdx --output sbom.spdx.json
feluda sbom cyclonedx --output sbom.cyclonedx.json
# 验证生成的SBOM文件的有效性并输出验证结果到文本文件
- name: Validate SBOM files
run: |
feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
# 上传许可证合规相关的工件文件包括通知文件、第三方许可证、SBOM文件及验证结果
- name: Upload compliance artifacts
uses: actions/upload-artifact@v4
with:
name: license-compliance
path: |
NOTICE
THIRD_PARTY_LICENSES.md
sbom.spdx.json
sbom.cyclonedx.json
sbom-spdx-validation.txt
sbom-cyclonedx-validation.txt
update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
# 构建项目使用Release配置且跳过恢复步骤
- name: Build

50
.github/workflows/publish.yml vendored
View File

@ -67,7 +67,38 @@ jobs:
set -e
echo "Packing with version=${{ steps.tag_version.outputs.version }}"
dotnet pack -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} -p:IncludeSymbols=false
- name: Setup Feluda
uses: anistark/feluda@v1.11.1
# 生成合规性文件执行两次feluda generate命令
- name: Generate compliance files
run: |
echo "1" | feluda generate
echo "2" | feluda generate
# 生成软件物料清单(SBOM)文件输出SPDX和CycloneDX两种格式
- name: Generate SBOM
run: |
feluda sbom spdx --output sbom.spdx.json
feluda sbom cyclonedx --output sbom.cyclonedx.json
# 验证生成的SBOM文件的有效性并输出验证结果到文本文件
- name: Validate SBOM files
run: |
feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
# 上传许可证合规相关的工件文件包括通知文件、第三方许可证、SBOM文件及验证结果
- name: Upload compliance artifacts
uses: actions/upload-artifact@v4
with:
name: license-compliance
path: |
NOTICE
THIRD_PARTY_LICENSES.md
sbom.spdx.json
sbom.cyclonedx.json
sbom-spdx-validation.txt
sbom-cyclonedx-validation.txt
- name: Show packages
run: ls -la ./packages || true
@ -99,7 +130,7 @@ jobs:
if [ "$pushed_any" = false ]; then
echo "No packages found to push."
fi
# 从 .nupkg 文件中提取版本信息
# 通过解压 .nupkgzip 格式)并读取 .nuspec 文件来获取版本
# 输出:
@ -134,10 +165,21 @@ jobs:
with:
generate_release_notes: true
name: "Release ${{ github.ref_name }}"
body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})"
body: |
Release created by CI for tag ${{ github.ref_name }}
Package version: ${{ steps.get_version.outputs.version }}
## Compliance
- NOTICE
- THIRD_PARTY_LICENSES
- SPDX & CycloneDX SBOM
draft: false
prerelease: false
# 核心优化:直接支持通配符
files: ./packages/*.nupkg
files: |
./packages/*.nupkg
NOTICE
THIRD_PARTY_LICENSES.md
sbom.spdx.json
sbom.cyclonedx.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}