Skip to content
Latchkey

Generate SBOM workflow (Keeper-Security/Commander)

The Generate SBOM workflow from Keeper-Security/Commander, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get caching, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: Keeper-Security/Commander.github/workflows/sbom.ymlLicense MITView source

What it does

This is the Generate SBOM workflow from the Keeper-Security/Commander repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Generate SBOM

on:
  workflow_dispatch:
  release:
    types: [published]

jobs:
  generate-sbom:
    name: "Generate and Publish SBOM"
    environment: prod
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Commander and SBOM tools
        run: |
          python -m pip install --upgrade pip wheel setuptools
          pip install .
          pip install cyclonedx-bom

          VERSION=$(python3 -c "import keepercommander.__init__ as init; print(init.__version__)")
          echo "PACKAGE_VERSION=${VERSION}" >> $GITHUB_ENV

          pip freeze > installed_packages.txt

      - name: Generate CycloneDX SBOM
        run: cyclonedx-py environment -o sbom.cdx.json

      - name: Upload SBOM to Manifest-Cyber
        run: |
          sbom="$(base64 -w 0 sbom.cdx.json)"
          cat <<EOF > manifest-request.json
          {
              "base64BomContents": "$sbom",
              "source": "github-actions",
              "relationship": "first",
              "filename": "sbom.cdx.json"
          }
          EOF

          curl --location --fail --request PUT 'https://api.manifestcyber.com/v1/sbom/upload' \
            --header 'Authorization: Bearer ${{ secrets.MANIFEST_TOKEN }}' \
            --header 'Content-Type: application/json' \
            --data-binary "@manifest-request.json"

      - name: Archive SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom-keepercommander-${{ env.PACKAGE_VERSION }}
          path: |
            sbom.cdx.json
            installed_packages.txt
          retention-days: 30

The same workflow, on Latchkey

Estimated ~20% faster on cache hits, plus fewer wasted runs and a safer supply chain. Added and changed lines are highlighted.

name: Generate SBOM
 
on:
  workflow_dispatch:
  release:
    types: [published]
 
jobs:
  generate-sbom:
    timeout-minutes: 30
    name: "Generate and Publish SBOM"
    environment: prod
    runs-on: latchkey-small
 
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
 
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          cache: 'pip'
          python-version: "3.12"
 
      - name: Install Commander and SBOM tools
        run: |
          python -m pip install --upgrade pip wheel setuptools
          pip install .
          pip install cyclonedx-bom
 
          VERSION=$(python3 -c "import keepercommander.__init__ as init; print(init.__version__)")
          echo "PACKAGE_VERSION=${VERSION}" >> $GITHUB_ENV
 
          pip freeze > installed_packages.txt
 
      - name: Generate CycloneDX SBOM
        run: cyclonedx-py environment -o sbom.cdx.json
 
      - name: Upload SBOM to Manifest-Cyber
        run: |
          sbom="$(base64 -w 0 sbom.cdx.json)"
          cat <<EOF > manifest-request.json
          {
              "base64BomContents": "$sbom",
              "source": "github-actions",
              "relationship": "first",
              "filename": "sbom.cdx.json"
          }
          EOF
 
          curl --location --fail --request PUT 'https://api.manifestcyber.com/v1/sbom/upload' \
            --header 'Authorization: Bearer ${{ secrets.MANIFEST_TOKEN }}' \
            --header 'Content-Type: application/json' \
            --data-binary "@manifest-request.json"
 
      - name: Archive SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom-keepercommander-${{ env.PACKAGE_VERSION }}
          path: |
            sbom.cdx.json
            installed_packages.txt
          retention-days: 30
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow