Generate SBOM workflow (Keeper-Security/Commander)
The Generate SBOM workflow from Keeper-Security/Commander, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Generate SBOM workflow from the Keeper-Security/Commander repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Generate SBOM
on:
workflow_dispatch:
release:
types: [published]
jobs:
generate-sbom:
name: "Generate and Publish SBOM"
environment: prod
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Commander and SBOM tools
run: |
python -m pip install --upgrade pip wheel setuptools
pip install .
pip install cyclonedx-bom
VERSION=$(python3 -c "import keepercommander.__init__ as init; print(init.__version__)")
echo "PACKAGE_VERSION=${VERSION}" >> $GITHUB_ENV
pip freeze > installed_packages.txt
- name: Generate CycloneDX SBOM
run: cyclonedx-py environment -o sbom.cdx.json
- name: Upload SBOM to Manifest-Cyber
run: |
sbom="$(base64 -w 0 sbom.cdx.json)"
cat <<EOF > manifest-request.json
{
"base64BomContents": "$sbom",
"source": "github-actions",
"relationship": "first",
"filename": "sbom.cdx.json"
}
EOF
curl --location --fail --request PUT 'https://api.manifestcyber.com/v1/sbom/upload' \
--header 'Authorization: Bearer ${{ secrets.MANIFEST_TOKEN }}' \
--header 'Content-Type: application/json' \
--data-binary "@manifest-request.json"
- name: Archive SBOM
uses: actions/upload-artifact@v4
with:
name: sbom-keepercommander-${{ env.PACKAGE_VERSION }}
path: |
sbom.cdx.json
installed_packages.txt
retention-days: 30
The same workflow, on Latchkey
Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.
name: Generate SBOM on: workflow_dispatch: release: types: [published] jobs: generate-sbom: timeout-minutes: 30 name: "Generate and Publish SBOM" environment: prod runs-on: latchkey-small steps: - name: Checkout repository uses: actions/checkout@v4 - name: Setup Python uses: actions/setup-python@v5 with: cache: 'pip' python-version: "3.12" - name: Install Commander and SBOM tools run: | python -m pip install --upgrade pip wheel setuptools pip install . pip install cyclonedx-bom VERSION=$(python3 -c "import keepercommander.__init__ as init; print(init.__version__)") echo "PACKAGE_VERSION=${VERSION}" >> $GITHUB_ENV pip freeze > installed_packages.txt - name: Generate CycloneDX SBOM run: cyclonedx-py environment -o sbom.cdx.json - name: Upload SBOM to Manifest-Cyber run: | sbom="$(base64 -w 0 sbom.cdx.json)" cat <<EOF > manifest-request.json { "base64BomContents": "$sbom", "source": "github-actions", "relationship": "first", "filename": "sbom.cdx.json" } EOF curl --location --fail --request PUT 'https://api.manifestcyber.com/v1/sbom/upload' \ --header 'Authorization: Bearer ${{ secrets.MANIFEST_TOKEN }}' \ --header 'Content-Type: application/json' \ --data-binary "@manifest-request.json" - name: Archive SBOM uses: actions/upload-artifact@v4 with: name: sbom-keepercommander-${{ env.PACKAGE_VERSION }} path: | sbom.cdx.json installed_packages.txt retention-days: 30
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cache dependency installs on the setup step so they are served from cache.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
- Network fetches
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.