ci: Generate release SBOM from shipped artefact (no-changelog) (#30812)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/scripts/package.json

@@ -1,7 +1,8 @@
 {
   "name": "workflow-scripts",
   "scripts": {
-    "test": "node --test --experimental-test-module-mocks ./*.test.mjs ./quality/*.test.mjs ./slack/*.test.mjs"
+    "test": "node --test --experimental-test-module-mocks ./*.test.mjs ./quality/*.test.mjs ./slack/*.test.mjs",
+    "generate-sbom": "cdxgen -t pnpm --no-install-deps -o ../../sbom-source.cdx.json ../../compiled/"
   },
   "dependencies": {
     "@actions/github": "9.0.0",
@@ -15,6 +16,7 @@
     "yaml": "^2.8.3"
   },
   "devDependencies": {
+    "@cyclonedx/cdxgen": "12.4.0",
     "conventional-changelog-angular": "8.3.0"
   }
 }

.github/workflows/sbom-generation-callable.yml

@@ -43,40 +43,44 @@ jobs:
         with:
           ref: ${{ inputs.release_tag_ref }}
 
-      - name: Setup Node.js and install dependencies
+      - name: Build production deployment artifact
         uses: ./.github/actions/setup-nodejs
         with:
-          build-command: ''
+          build-command: 'pnpm build:deploy'
 
-      - name: Generate CycloneDX SBOM for source code
-        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
-        with:
-          path: ./
-          format: cyclonedx-json
-          output-file: sbom-source.cdx.json
+      - name: Install isolated SBOM tooling
+        run: pnpm install --frozen-lockfile --dir ./.github/scripts --ignore-workspace
 
-      - name: Attest SBOM for source release
+      - name: Generate CycloneDX SBOM from shipped artifact
+        working-directory: ./.github/scripts
+        run: pnpm generate-sbom
+
+      - name: Attest SBOM for release
         uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-path: './package.json'
           sbom-path: 'sbom-source.cdx.json'
 
-      - name: Attach SBOM and VEX files to release
+      - name: Attach SBOM, VEX, and license manifest to release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_TAG_REF: ${{ inputs.release_tag_ref }}
         run: |
-          # Upload SBOM and VEX files to the existing release
+          cp compiled/THIRD_PARTY_LICENSES.md THIRD_PARTY_LICENSES.md
           gh release upload "$RELEASE_TAG_REF" \
             sbom-source.cdx.json \
             security/vex.openvex.json \
+            THIRD_PARTY_LICENSES.md \
             --clobber
 
           COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
+          MISSING_LICENSES=$(jq '[.components[] | select((.licenses // []) | length == 0)] | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
           VEX_STATEMENTS=$(jq '.statements | length' security/vex.openvex.json 2>/dev/null || echo "0")
-          echo "SBOM and VEX attached to release"
-          echo "  - SBOM: $COMPONENT_COUNT components"
+          echo "SBOM, VEX, and license manifest attached to release"
+          echo "  - SBOM: $COMPONENT_COUNT components from shipped artifact (no devDeps, no optional deps)"
+          echo "  - SBOM: $MISSING_LICENSES components missing license metadata"
           echo "  - VEX: $VEX_STATEMENTS CVE statements"
+          echo "  - THIRD_PARTY_LICENSES.md: human-readable license breakdown"
 
       - name: Notify Slack on failure
         if: failure()

.gitignore

@@ -28,6 +28,7 @@ CHANGELOG-*.md
 !packages/frontend/@n8n/design-system/**/*.mdx
 build-storybook.log
 build.log
+sbom-source.cdx.json
 *.junit.xml
 junit.xml
 test-results.json