[WIP] Use @yclonedx/cyclonedx-npm via npx, not an action

thlehmann-ionos · thlehmann-ionos · commit 6cc653b54fa7 · 2025-01-31T17:44:24.000+01:00
The action was declared to be deprecated [1], [2] was mentioned as alternative. [1]: https://github.com/CycloneDX/gh-node-module-generatebom?tab=readme-ov-file [2]: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm
diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml
@@ -51,10 +51,8 @@ jobs:
           npm ci
 
       - name: Generate SBOM (npm)
-        # https://github.com/CycloneDX/gh-node-module-generatebom
-        uses: CycloneDX/gh-node-module-generatebom@v1
-        with:
-          output: './bom.npm.xml'
+        run: |
+          npx @cyclonedx/cyclonedx-npm --output-format XML --output-file './bom.npm.xml'
 
       # Pass BOMs to next Job
       # https://github.com/actions/upload-artifact
