DEMA Consulting collection of standard SpdxTool workflow YAML files for capturing build-tool version information and populating SPDX software bills of materials (SBOMs).
This collection provides:
- Version Discovery Workflows: Detect and capture the installed versions of common build tools — .NET SDK, GCC, MSBuild, NuGet, VSTest, and IAR EW ARM
- SPDX Package Workflows: Add build-tool packages to an SPDX document — .NET SDK, GCC, MSBuild, NuGet, VSTest, and IAR EW ARM
- NuGet SPDX Enhancement: Enrich an SPDX document package with metadata sourced from a NuGet package's own SPDX document
- Multi-Platform Support: Workflows target Windows and Linux build environments
- MSTest V4: Modern unit testing with MSTest framework version 4
- Comprehensive CI/CD: GitHub Actions workflows with quality checks and builds
SpdxWorkflows are referenced directly by URL inside your own SpdxTool workflow YAML files. No separate installation step is required beyond having SpdxTool available.
Install SpdxTool using the .NET CLI:
dotnet tool install --global DemaConsulting.SpdxToolReference a workflow by supplying its versioned GitHub URL and an optional SHA-512 integrity
hash to the run-workflow command:
- command: run-workflow
inputs:
url: 'https://github.com/demaconsulting/SpdxWorkflows/blob/0.1.0/GetDotNetVersion.yaml'
integrity: d9c80d18f6ad6b3cbd5facb28d6c5712bc68c58ace11ebf890cfc92e0857628b
parameters:
<optional parameters>
outputs:
<optional outputs>Replace 0.1.0 with the desired release tag. See Releases for available
versions and their workflow integrity hashes.
These workflows detect and capture the installed version of a build tool. All version
discovery workflows produce a single version output parameter.
| Workflow | Description | Platform |
|---|---|---|
| GetDotNetVersion.yaml | Gets the installed .NET SDK version | Windows, Linux |
| GetGccVersion.yaml | Gets the installed GCC version | Linux |
| GetIarEwArmVersion.yaml | Gets the installed IAR EW ARM version | Windows |
| GetMsBuildVersion.yaml | Gets the installed MSBuild version | Windows |
| GetNugetVersion.yaml | Gets the installed NuGet version | Windows |
| GetNugetPackagePath.yaml | Gets the path to a NuGet package in the local cache | Windows |
| GetVsTestVersion.yaml | Gets the installed VSTest version | Windows |
These workflows add a build-tool entry as a package to an existing SPDX document.
| Workflow | Description | Platform |
|---|---|---|
| AddDotNetPackage.yaml | Adds the .NET SDK package to an SPDX document | Windows, Linux |
| AddGccPackage.yaml | Adds the GCC package to an SPDX document | Linux |
| AddIarEwArmPackage.yaml | Adds the IAR EW ARM package to an SPDX document | Windows |
| AddMsBuildPackage.yaml | Adds the MSBuild package to an SPDX document | Windows |
| AddNugetPackage.yaml | Adds the NuGet package to an SPDX document | Windows |
| AddVsTestPackage.yaml | Adds the VSTest package to an SPDX document | Windows |
| EnhancePackageFromNugetSpdx.yaml | Enhances an SPDX package with metadata from a NuGet SPDX document | Windows |
For full parameter and output details see the User Guide.
- User Guide: Workflow parameters, outputs, and usage examples
Copyright (c) DEMA Consulting. Licensed under the MIT License. See LICENSE for details.
By contributing to this project, you agree that your contributions will be licensed under the MIT License.