Add example repo

otaviojacobi · otaviojacobi · commit c7590afa1358 · 2025-08-27T15:33:14.000-03:00
diff --git a/.github/workflows/release-and-upload-sbom.yml b/.github/workflows/release-and-upload-sbom.yml
@@ -0,0 +1,79 @@
+name: Release and Upload SBOM to Balena
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+env:
+  FLEET_SLUG: org3/test
+
+jobs:
+  build-and-release:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Generate SBOM using Syft
+        run: |
+          # Install Syft for SBOM generation
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp
+          
+          # Generate SBOM in multiple formats
+          echo "Generating SBOM in SPDX JSON format..."
+          /tmp/syft . -o spdx-json=sbom-spdx.json
+          
+          echo "Generating SBOM in CycloneDX JSON format..."
+          /tmp/syft . -o cyclonedx-json=sbom-cyclonedx.json
+          
+          echo "Generating SBOM in Syft JSON format..."
+          /tmp/syft . -o syft-json=sbom-syft.json
+          
+          # Create a tarball of all SBOMs
+          tar -czf sboms.tar.gz sbom-*.json
+          
+          echo "SBOM files generated:"
+          ls -la sbom-*.json sboms.tar.gz
+
+      - name: balena CLI Action
+        uses: balena-io-experimental/community-cli-action@1.0.0
+        with:
+          balena_token: ${{secrets.BALENA_API_TOKEN}}
+
+      - name: Create Balena Release
+        id: create-release
+        run: |
+          # Push to Balena and create a release
+          echo "Creating release for fleet: ${{ env.FLEET_SLUG }}"
+          
+          # Build and push the release
+          balena push ${{ env.FLEET_SLUG }} --release-tag version=${{ github.ref_name || 'latest' }}
+          
+          # Get the latest release ID
+          RELEASE_ID=$(balena releases ${{ env.FLEET_SLUG }} --json | jq -r '.[0].id')
+          echo "Release ID: $RELEASE_ID"
+          echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT
+          
+
+      - name: Upload All SBOM Assets
+        uses: balena-io/upload-balena-release-asset@main
+        with:
+          balena-token: ${{ secrets.BALENA_API_TOKEN }}
+          release-id: ${{ steps.create-release.outputs.release_id }}
+          path: |
+            sbom-spdx.json
+            sbom-cyclonedx.json
+            sbom-syft.json
+            sboms.tar.gz
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,8 @@
+node_modules/
+npm-debug.log*
+.DS_Store
+*.log
+.env
+.env.local
+sbom-*.json
+sboms.tar.gz
diff --git a/Dockerfile.template b/Dockerfile.template
@@ -0,0 +1,27 @@
+FROM node:22-bookworm-slim AS build
+
+# Defines our working directory in container
+WORKDIR /build
+
+# Copies the package.json first for better cache on later pushes
+COPY package*.json ./
+
+# Install npm dependencies
+RUN JOBS=MAX npm ci --omit=dev
+
+# This will copy all files in our root to the working directory in the container
+COPY . ./
+
+# Image that will be used to run the application
+FROM node:22-bookworm-slim
+
+ENV NODE_ENV=production
+WORKDIR /usr/src/app
+
+COPY --from=build /build .
+
+# Use node user instead of root for security
+USER node
+
+# Use exec form for better signal handling
+CMD ["node", "src/server.js"]
diff --git a/README.md b/README.md
@@ -1 +1,14 @@
-# release-assets-hello-world
+# Balena Hello World with SBOM Upload Example
+
+This repository demonstrates how to set up a GitHub Action workflow that:
+1. Creates a balena release
+2. Generates Software Bill of Materials (SBOM) in multiple formats
+3. Uploads SBOM files as balena release assets using the `balena-io/upload-balena-release-asset` action
+
+## Features
+
+- Simple Node.js Express application
+- Multi-architecture support via balena
+- Automated SBOM generation using Syft
+- SBOM upload to balena releases
+- GitHub release creation with SBOM artifacts
diff --git a/balena.yml b/balena.yml
@@ -0,0 +1,5 @@
+name: balena-hello-world-sbom
+type: sw.application
+description: >-
+  A simple hello world application demonstrating SBOM generation and upload 
+  using GitHub Actions and balena release assets.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,11 @@
+version: '2'
+services:
+  hello-world:
+    build: .
+    ports:
+      - "80:80"
+    restart: always
+    labels:
+      io.balena.features.supervisor-api: '1'
+    environment:
+      - PORT=80
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/server.js b/server.js
