artifact-sbom-publisher

Artifact & SBOM Publisher

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "artifact-sbom-publisher" with this command: npx skills add patricio0312rev/skills/patricio0312rev-skills-artifact-sbom-publisher

Artifact & SBOM Publisher

Generate and publish artifacts with supply chain security metadata.

Build Artifacts

build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

- uses: actions/setup-node@v4
  with:
    node-version: "20"

- run: npm ci
- run: npm run build

- name: Upload artifacts
  uses: actions/upload-artifact@v4
  with:
    name: dist-${{ github.sha }}
    path: |
      dist/
      !dist/**/*.map
    retention-days: 30
    if-no-files-found: error

SBOM Generation (CycloneDX)

sbom: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

- name: Generate SBOM
  uses: CycloneDX/gh-node-module-generatebom@master
  with:
    path: ./
    output: ./sbom.json

- name: Upload SBOM
  uses: actions/upload-artifact@v4
  with:
    name: sbom-${{ github.sha }}
    path: sbom.json

SBOM with Syft

  • name: Generate SBOM with Syft run: | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin syft . -o spdx-json > sbom-spdx.json syft . -o cyclonedx-json > sbom-cyclonedx.json

  • name: Upload SBOMs uses: actions/upload-artifact@v4 with: name: sboms path: | sbom-spdx.json sbom-cyclonedx.json

Docker Image SBOM

  • name: Build image uses: docker/build-push-action@v5 with: context: . push: true tags: myapp:${{ github.sha }} sbom: true provenance: true

  • name: Generate SBOM for image run: | syft myapp:${{ github.sha }} -o spdx-json > image-sbom.json

  • name: Scan SBOM for vulnerabilities uses: anchore/scan-action@v3 with: sbom: image-sbom.json fail-build: true severity-cutoff: high

Build Provenance (SLSA)

provenance: runs-on: ubuntu-latest permissions: actions: read id-token: write contents: write steps: - uses: actions/checkout@v4

- name: Build
  run: npm run build

- name: Generate provenance
  uses: actions/attest-build-provenance@v1
  with:
    subject-path: "dist/**"

Artifact Metadata

  • name: Create artifact metadata run: | cat > artifact-metadata.json << EOF { "version": "${{ github.ref_name }}", "commit": "${{ github.sha }}", "branch": "${{ github.ref }}", "build_time": "$(date -u +%Y-%m-%dT%H:%M:%SZ)", "builder": "GitHub Actions", "workflow": "${{ github.workflow }}", "run_id": "${{ github.run_id }}", "actor": "${{ github.actor }}" } EOF

  • name: Upload metadata uses: actions/upload-artifact@v4 with: name: metadata path: artifact-metadata.json

Package & Release

release: runs-on: ubuntu-latest needs: [build, sbom] if: github.event_name == 'release' steps: - name: Download artifacts uses: actions/download-artifact@v4 with: path: artifacts/

- name: Create release package
  run: |
    cd artifacts
    tar -czf ../release.tar.gz dist-* sbom-* metadata/

- name: Upload to release
  uses: actions/upload-release-asset@v1
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  with:
    upload_url: ${{ github.event.release.upload_url }}
    asset_path: ./release.tar.gz
    asset_name: release-${{ github.ref_name }}.tar.gz
    asset_content_type: application/gzip

Vulnerability Scanning

  • name: Scan SBOM for vulnerabilities uses: aquasecurity/trivy-action@master with: scan-type: "sbom" format: "sarif" output: "trivy-results.sarif" sbom-sources: "sbom.json"

  • name: Upload scan results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-results.sarif"

Artifact Attestation

  • name: Attest artifact uses: actions/attest@v1 with: subject-path: "dist/myapp.tar.gz" predicate-type: "https://slsa.dev/provenance/v1" predicate: | { "buildType": "https://github.com/actions/workflow", "builder": { "id": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" }, "metadata": { "buildInvocationId": "${{ github.run_id }}", "completeness": { "parameters": true, "environment": false, "materials": true } } }

Best Practices

  • Generate SBOMs: For all releases

  • Multiple formats: SPDX and CycloneDX

  • Scan vulnerabilities: Before release

  • Sign artifacts: For verification

  • Include provenance: SLSA attestation

  • Retention policy: Keep artifacts 30 days

  • Metadata: Version, commit, timestamp

  • Automate: Part of every build

Output Checklist

  • Build artifacts uploaded

  • SBOM generated (SPDX or CycloneDX)

  • Vulnerability scanning configured

  • Build provenance generated

  • Artifact metadata included

  • Release packaging automated

  • Attestation/signing (optional)

  • Retention policy set

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

framer-motion-animator

No summary provided by upstream source.

Repository SourceNeeds Review
1.5K-patricio0312rev
General

eslint-prettier-config

No summary provided by upstream source.

Repository SourceNeeds Review
281-patricio0312rev
General

postman-collection-generator

No summary provided by upstream source.

Repository SourceNeeds Review
125-patricio0312rev
General

nginx-config-optimizer

No summary provided by upstream source.

Repository SourceNeeds Review
117-patricio0312rev