# LAB ONLY
# 用途: 生成 SBOM 并用 OSV 扫描依赖漏洞
# 目标范围: 自有代码仓和实验项目
# 风险: 需要下载额外工具，运行时间较长
# 不适用: 未经缓存和版本固定直接作为生产门禁
name: osv-sbom

on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  contents: read

jobs:
  osv-sbom:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.22"

      - name: Install Syft and OSV-Scanner
        run: |
          go install github.com/anchore/syft/cmd/syft@latest
          go install github.com/google/osv-scanner/cmd/osv-scanner@latest
          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"

      - name: Generate SBOM
        run: |
          syft dir:. -o cyclonedx-json > sbom.json

      - name: Scan SBOM with OSV
        run: |
          osv-scanner scan --sbom=sbom.json