Add SBOM diff

jasonhills-mongodb · jasonhills-mongodb · commit bab76ec2cbb2 · 2025-12-02T13:47:51.000-05:00
diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
@@ -65,13 +65,32 @@ jobs:
     - name: Install dependencies
       run: uv sync --group generate_sbom
 
+    - name: Save existing SBOM for comparison
+      run: |
+        # Strip out nondeterministic SBOM fields and save to temp file
+        jq 'del(.version, .metadata.timestamp, .metadata.tools.services[].version)' sbom.json > ${{runner.temp}}/sbom.existing.cdx.json
+
     - name: generate_sbom.py
-      run: uv run etc/sbom/generate_sbom.py --enable-github-action-token --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json --save-warnings=${{runner.temp}}/warnings.txt
+      run: |
+        uv run etc/sbom/generate_sbom.py --enable-github-action-token --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json --save-warnings=${{runner.temp}}/warnings.txt
+    
+    - name: Check for SBOM changes
+      id: sbom_diff
+      run: |
+        # Strip out nondeterministic SBOM fields and save to temp file
+        jq 'del(.version, .metadata.timestamp, .metadata.tools.services[].version)' sbom.json > ${{runner.temp}}/sbom.generated.cdx.json
+        RESULT=$(diff ${{runner.temp}}/sbom.existing.cdx.json ${{runner.temp}}/sbom.generated.cdx.json)
+        # Set the output variable
+        echo "::set-output name=result::$RESULT" 
 
-    - name: Generate Pull Request Content
-      run: printf "SBOM updated after commit ${{ github.sha }}.\n\nThe following warnings were output when generating the SBOM:\n" | cat - ${{runner.temp}}/warnings.txt > ${{runner.temp}}/pr_body.txt
+    - name: Generate pull request content and notice, if SBOM has changed
+      if: ${{ steps.sbom_diff.outputs.result }}
+      run: |
+        printf "SBOM updated after commit ${{ github.sha }}.\n\n" | cat - ${{runner.temp}}/warnings.txt > ${{runner.temp}}/pr_body.txt
+        echo "::notice SBOM has changed"
 
-    - name: Open Pull Request
+    - name: Open Pull Request, if SBOM has changed
+      if: ${{ steps.sbom_diff.outputs.result }}
       uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
       with:
         add-paths: sbom.json
diff --git a/etc/sbom/generate_sbom.py b/etc/sbom/generate_sbom.py
@@ -830,17 +830,17 @@ def main() -> None:
 
     # Access the collected warnings
     print_banner('CONSOLIDATED WARNINGS')
-    warnings = []
+    warnings = ["The following warnings were output when generating the SBOM:\n"]
     for record in warning_handler.warnings:
-        warnings.append(record.getMessage())
+        warnings.append(" - " + record.getMessage())
 
     print('\n'.join(warnings))
 
     if save_warnings:
         write_list_to_text_file(warnings, save_warnings)
 
     print_banner('COMPLETED')
-    if not os.getenv('CI'):
+    if not os.getenv('CI') and not os.getenv("GITHUB_ACTIONS"):
         print('Be sure to add the SBOM to your next commit if the file content has changed.')
 
     # endregion Finalize SBOM
