From 09e194a2bf3597c6323f50f5012fa7556f9fc9de Mon Sep 17 00:00:00 2001
From: GeWuYou <95328647+GeWuYou@users.noreply.github.com>
Date: Mon, 2 Feb 2026 15:03:02 +0800
Subject: [PATCH] =?UTF-8?q?feat(ci):=20=E9=9B=86=E6=88=90Feluda=E5=B7=A5?=
 =?UTF-8?q?=E5=85=B7=E5=AE=9E=E7=8E=B0=E5=90=88=E8=A7=84=E6=80=A7=E6=A3=80?=
 =?UTF-8?q?=E6=9F=A5=E5=92=8CSBOM=E7=94=9F=E6=88=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 在CI工作流中添加Feluda工具设置和合规性文件生成
- 集成SBOM生成功能，支持SPDX和CycloneDX格式
- 添加SBOM文件验证步骤并生成验证报告
- 实现许可证合规工件上传，包含通知文件和第三方许可证
- 更新发布工作流以包含合规性信息和SBOM文件到发布内容
- 修改权限设置以支持内容写入操作
---
 .github/workflows/ci.yml      | 34 ++----------------------
 .github/workflows/publish.yml | 50 ++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bec526e..93e4fa6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
     branches: [ main, master ]
 
 permissions:
-  contents: read
+  contents: write
   security-events: write
 
 jobs:
@@ -93,37 +93,7 @@ jobs:
           fail-on-restrictive: true
           fail-on-incompatible: true
           update-badge: true
-          
-      # 生成合规性文件，执行两次feluda generate命令
-      - name: Generate compliance files
-        run: |
-          echo "1" | feluda generate
-          echo "2" | feluda generate
-
-      # 生成软件物料清单(SBOM)文件，输出SPDX和CycloneDX两种格式
-      - name: Generate SBOM
-        run: |
-          feluda sbom spdx --output sbom.spdx.json
-          feluda sbom cyclonedx --output sbom.cyclonedx.json
-
-      # 验证生成的SBOM文件的有效性，并输出验证结果到文本文件
-      - name: Validate SBOM files
-        run: |
-          feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
-          feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
-
-      # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM文件及验证结果
-      - name: Upload compliance artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: license-compliance
-          path: |
-            NOTICE
-            THIRD_PARTY_LICENSES.md
-            sbom.spdx.json
-            sbom.cyclonedx.json
-            sbom-spdx-validation.txt
-            sbom-cyclonedx-validation.txt
+          update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
 
       # 构建项目，使用Release配置且跳过恢复步骤
       - name: Build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b305660..9694ded 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -67,7 +67,38 @@ jobs:
           set -e
           echo "Packing with version=${{ steps.tag_version.outputs.version }}"
           dotnet pack -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} -p:IncludeSymbols=false
+      - name: Setup Feluda
+        uses: anistark/feluda@v1.11.1
+      # 生成合规性文件，执行两次feluda generate命令
+      - name: Generate compliance files
+        run: |
+          echo "1" | feluda generate
+          echo "2" | feluda generate
 
+      # 生成软件物料清单(SBOM)文件，输出SPDX和CycloneDX两种格式
+      - name: Generate SBOM
+        run: |
+          feluda sbom spdx --output sbom.spdx.json
+          feluda sbom cyclonedx --output sbom.cyclonedx.json
+
+      # 验证生成的SBOM文件的有效性，并输出验证结果到文本文件
+      - name: Validate SBOM files
+        run: |
+          feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
+          feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
+
+      # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM文件及验证结果
+      - name: Upload compliance artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-compliance
+          path: |
+            NOTICE
+            THIRD_PARTY_LICENSES.md
+            sbom.spdx.json
+            sbom.cyclonedx.json
+            sbom-spdx-validation.txt
+            sbom-cyclonedx-validation.txt
       - name: Show packages
         run: ls -la ./packages || true
 
@@ -99,7 +130,7 @@ jobs:
           if [ "$pushed_any" = false ]; then
             echo "No packages found to push."
           fi
-
+      
       # 从 .nupkg 文件中提取版本信息
       # 通过解压 .nupkg（zip 格式）并读取 .nuspec 文件来获取版本
       # 输出：
@@ -134,10 +165,21 @@ jobs:
         with:
           generate_release_notes: true
           name: "Release ${{ github.ref_name }}"
-          body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})"
+          body: |
+            Release created by CI for tag ${{ github.ref_name }}
+            Package version: ${{ steps.get_version.outputs.version }}
+
+            ## Compliance
+            - NOTICE
+            - THIRD_PARTY_LICENSES
+            - SPDX & CycloneDX SBOM
           draft: false
           prerelease: false
-          # 核心优化：直接支持通配符
-          files: ./packages/*.nupkg
+          files: |
+            ./packages/*.nupkg
+            NOTICE
+            THIRD_PARTY_LICENSES.md
+            sbom.spdx.json
+            sbom.cyclonedx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file