fix: lower minimum score threshold for completeness validation #57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: AIBomGen-cli Go Build | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| build: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| go-version: ["1.25.x", "1.24.x", "1.23.x", "1.22.x", "1.21.x"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go ${{ matrix.go-version }} | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| check-latest: true | |
| cache: true | |
| cache-dependency-path: | | |
| **/go.sum | |
| **/go.work.sum | |
| - name: Show Go env | |
| run: | | |
| go version | |
| go env GOMODCACHE GOCACHE GOOS GOARCH | |
| - name: Install dependencies | |
| run: go mod tidy | |
| - name: Run tests (no coverage) | |
| if: ${{ matrix.go-version != '1.25.x' }} | |
| run: go test ./... | |
| - name: Run tests (with coverage) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: go test ./... -coverprofile=coverage.out -covermode=atomic | |
| - name: Upload coverage to Codecov | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| - name: Build | |
| run: | | |
| go build -o AIBoMGen-cli ./ | |
| chmod +x AIBoMGen-cli | |
| - name: Install Syft | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: anchore/sbom-action/[email protected] | |
| - name: Install Cosign | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: sigstore/[email protected] | |
| - name: Install Grype | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: anchore/scan-action/download-grype@v4 | |
| - name: Generate SBOM (Syft) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: syft ./AIBoMGen-cli -o cyclonedx-json=sbom-binary.json | |
| - name: Scan SBOM for vulnerabilities (Grype) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: grype sbom:./sbom-binary.json -o cyclonedx-json=sbom-binary-vulnerabilities.json | |
| - name: Sign SBOM (Keyless) | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: | | |
| cosign sign-blob --yes \ | |
| --oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --bundle=sbom.bundle.json \ | |
| sbom-binary-vulnerabilities.json | |
| - name: Fail if vulnerabilities found | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| run: | | |
| if [ ! -f sbom-binary-vulnerabilities.json ]; then | |
| echo "vulnerabilities file not found"; exit 1 | |
| fi | |
| count=$(jq '.vulnerabilities | length' sbom-binary-vulnerabilities.json || echo 0) | |
| if [ "$count" -gt 0 ]; then | |
| echo "Found $count vulnerabilities in SBOM"; exit 1 | |
| fi | |
| - name: Upload SBOM artifacts | |
| if: ${{ matrix.go-version == '1.25.x' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-artifacts | |
| path: | | |
| sbom-binary.json | |
| sbom-binary-vulnerabilities.json | |
| sbom.bundle.json |