feat: add Keycloak and delegate SBOM generation to sbomify action#7
Merged
vpetersson merged 8 commits intomasterfrom Jan 5, 2026
Merged
feat: add Keycloak and delegate SBOM generation to sbomify action#7vpetersson merged 8 commits intomasterfrom
vpetersson merged 8 commits intomasterfrom
Conversation
Add Keycloak v26.4.7 using lockfile source (pom.xml from GitHub). Refactor lockfile handling to delegate SBOM generation to the sbomify GitHub Action instead of running cdxgen/syft locally: - Remove cdxgen installation from workflow for lockfile sources - Update sbom-builder.yml to pass LOCK_FILE to sbomify action - Simplify lockfile-generator.sh to only download lockfiles - Add separate workflow steps for SBOM vs lockfile sources New files: - apps/keycloak/config.yaml - .github/workflows/sbom-keycloak.yml Updated documentation to reflect that SBOM generation from lockfiles is now handled by the sbomify GitHub Action.
Overhaul keycloak SBOM generation to properly resolve Maven dependencies: - Add post_clone_commands support to lockfile source type, allowing arbitrary commands to run after cloning (e.g., Maven builds) - Add get_config_array helper to common.sh for reading YAML arrays - Add Maven dependency caching (~/.m2/repository) to workflow for faster subsequent builds - Update keycloak config to: - Use quarkus/runtime/pom.xml as the lockfile target - Run Maven install to resolve dependencies before SBOM generation The Maven build uses -DskipTestsuite -DskipExamples -DskipTests flags to minimize build time while still resolving the full dependency tree.
- Suppress git detached HEAD advice during clone - Remove verbose ls output from fetch step
There was a problem hiding this comment.
Pull request overview
This PR adds support for Keycloak SBOM generation and refactors lockfile handling to delegate SBOM generation to the sbomify GitHub Action instead of running cdxgen/syft locally.
Key changes:
- Added Keycloak v26.4.7 with both backend (Maven) and JS (pnpm) configurations
- Refactored lockfile-generator.sh to only download/clone lockfiles, removing local SBOM generation logic
- Updated workflow to support separate handling of SBOM vs lockfile sources with the sbomify action
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/sources/lockfile-generator.sh | Simplified to download lockfiles or clone repos; removed cdxgen/syft generation logic |
| scripts/sources/github-release.sh | Added shellcheck directives for linting |
| scripts/sources/docker-attestation.sh | Added shellcheck directives for linting |
| scripts/sources/chainguard.sh | Added shellcheck directives for linting |
| scripts/lib/common.sh | Added get_config_array function to read array values from config |
| scripts/fetch-sbom.sh | Added logging for lockfile vs SBOM sources; added shellcheck directives |
| apps/keycloak/config.yaml | New Keycloak backend configuration using Maven pom.xml with clone and build steps |
| apps/keycloak-js/config.yaml | New Keycloak JS configuration using pnpm-lock.yaml |
| README.md | Updated documentation to reflect lockfile handling changes |
| .github/workflows/sbom-keycloak.yml | New workflow for Keycloak backend SBOM generation |
| .github/workflows/sbom-keycloak-js.yml | New workflow for Keycloak JS SBOM generation |
| .github/workflows/sbom-builder.yml | Added lockfile source handling, Maven caching, and separate upload steps for lockfiles |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add Keycloak v26.4.7 using lockfile source (pom.xml from GitHub).
Refactor lockfile handling to delegate SBOM generation to the sbomify GitHub Action instead of running cdxgen/syft locally:
New files:
Updated documentation to reflect that SBOM generation from lockfiles is now handled by the sbomify GitHub Action.