DevExpress · mpreyskurantov · May 25, 2026 · Jun 3, 2026 · Jun 4, 2026 · Jun 5, 2026
@@ -17,6 +17,8 @@ on:
 env:
   NX_CLOUD_ACCESS_TOKEN: ${{ github.ref_name == github.event.repository.default_branch && secrets.NX_CLOUD_ACCESS_TOKEN || '' }}
   NX_SKIP_NX_CACHE: ${{ contains(github.event.pull_request.labels.*.name, 'skip-cache') && 'true' || 'false' }}
+  CYCLONEDX_CLI_VERSION: 0.32.0
+  CYCLONEDX_CLI_LINUX_X64_SHA256: 454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1
 
 jobs:
   build:
@@ -70,7 +72,35 @@ jobs:
           pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
           pnpm nx build sbom;
 
-      - name: Upload SBOM artifacts
+      - name: Install CycloneDX CLI
+        if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
+        shell: bash
+        run: |
+          tool_dir="$RUNNER_TEMP/cyclonedx-cli"
+          mkdir -p "$tool_dir"
+          curl -fsSL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${{ env.CYCLONEDX_CLI_VERSION }}/cyclonedx-linux-x64" -o "$tool_dir/cyclonedx"
+          echo "${{ env.CYCLONEDX_CLI_LINUX_X64_SHA256 }}  $tool_dir/cyclonedx" | sha256sum -c -
+          chmod +x "$tool_dir/cyclonedx"
+          echo "$tool_dir" >> "$GITHUB_PATH"
+
+      - name: Validate SBOMs
+        if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
+        shell: bash
+        run: |
+          shopt -s nullglob
+          sbom_files=(packages/sbom/dist/*.sbom.json)
+
+          if [ ${#sbom_files[@]} -eq 0 ]; then
+            echo "No SBOM files found in packages/sbom/dist"
+            exit 1
+          fi
+
+          for file in "${sbom_files[@]}"; do
+            echo "Validating $file"
+            cyclonedx validate --input-file "$file" --input-format json --fail-on-errors
+          done
+
+      - name: Upload SBOMs
         if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
         uses: actions/upload-artifact@v7
         with:

@@ -27,6 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       packages: ${{ steps.filter.outputs.packages }}
+      version: ${{ steps.packageVersion.outputs.version }}
     steps:
       - name: Get sources
         uses: actions/checkout@v6
@@ -47,40 +48,32 @@ jobs:
         if: ${{ env.SET_TIMESTAMP_VERSION == 'true' }}
         run: pnpm run all:set-timestamp-version
 
-      - name: Build npm packages
-        env:
-          BUILD_INTERNAL_PACKAGE: true
-        run: pnpm run all:build
+      - name: Get package version
+        id: packageVersion
+        run: |
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Build SBOMs
+        continue-on-error: true
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
           pnpm nx build sbom;
 
-      - name: Build artifacts package
-        run: pnpm run make-artifacts-package
-
-      - name: Upload SBOM artifact
+      - name: Upload SBOMs
         uses: actions/upload-artifact@v7
         with:
-          name: sbom
+          name: sbom-packages
           path: packages/sbom/dist
           retention-days: 7
 
-      - name: Upload packages
-        uses: actions/upload-artifact@v7
-        with:
-          name: packages
-          path: artifacts/npm/*.tgz
-          retention-days: 2
-
       - name: Filter packages
         id: filter
-        working-directory: artifacts/npm
+        working-directory: packages/sbom/dist
         shell: bash
-        run: ls *.tgz | grep -E -i "$FILTER" | sed -r 's/^(.*).tgz$/"\1"/g' | paste -sd "," - | sed -r 's/(.*)/packages=[\1]/' >> "$GITHUB_OUTPUT"
+        run: ls *.sbom.json | grep -E -i "$FILTER" | sed -r 's/^(.*).sbom.json$/"\1"/g' | paste -sd "," - | sed -r 's/(.*)/packages=[\1]/' >> "$GITHUB_OUTPUT"
 
   publish:
     name: Publish package
@@ -94,10 +87,11 @@ jobs:
       - name: Get sources
         uses: actions/checkout@v6
 
-      - name: Download artifacts
+      - name: Download SBOMs
         uses: actions/download-artifact@v8
         with:
-          name: packages
+          name: sbom-packages
+          path: sbom-packages
 
       - name: Use Node.js
         uses: actions/setup-node@v6
@@ -111,29 +105,49 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Change package scope
-        id: scopedPackage
+      - name: Build SBOM package
+        id: scopedSbomPackage
         env:
           PACKAGE: ${{ matrix.package }}
+          PACKAGE_VERSION: ${{ needs.build.outputs.version }}
         run: |
+          SBOM_FILE="sbom-packages/$PACKAGE.sbom.json";
+
+          # if [ ! -f "$SBOM_FILE" ]; then
+          #   echo "No SBOM found for $PACKAGE"
+          #   echo "hasSbom=false" >> "$GITHUB_OUTPUT";
+          #   exit 0;
+          # fi
+
           SCOPE=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]');
-          PACKAGE_DIR=$(pnpm --silent run change-package-scope --tgz $PACKAGE.tgz --scope $SCOPE)
-          echo "packageDir=$PACKAGE_DIR" >> "$GITHUB_OUTPUT";
-          cd $PACKAGE_DIR;
+          SBOM_PACKAGE_NAME="$PACKAGE-sbom";
+          SBOM_PACKAGE_DIR="sbom-package/$SBOM_PACKAGE_NAME";
+          SBOM_TGZ_DIR="sbom-package-tgz";
+          PACKAGE_LICENSE=$(node -p "require('./package.json').license");
+          PACKAGE_AUTHOR=$(node -p "require('./package.json').author");
+
+          mkdir -p "$SBOM_PACKAGE_DIR" "$SBOM_TGZ_DIR";
+          cp "$SBOM_FILE" "$SBOM_PACKAGE_DIR/";
+          cd "$SBOM_PACKAGE_DIR";
+          node -e "const fs = require('fs'); const [name, version, license, author] = process.argv.slice(1); fs.writeFileSync('package.json', JSON.stringify({ name, version, license, author }, null, 2));" "$SBOM_PACKAGE_NAME" "$PACKAGE_VERSION" "$PACKAGE_LICENSE" "$PACKAGE_AUTHOR";
+          npm pack --pack-destination "../../$SBOM_TGZ_DIR";
+          cd ../..;
+
+          SCOPED_SBOM_PACKAGE_DIR=$(pnpm --silent run change-package-scope --tgz "$SBOM_TGZ_DIR/$SBOM_PACKAGE_NAME-$PACKAGE_VERSION.tgz" --scope "$SCOPE");
+          echo "packageDir=$SCOPED_SBOM_PACKAGE_DIR" >> "$GITHUB_OUTPUT";
+          cd "$SCOPED_SBOM_PACKAGE_DIR";
           pnpm pkg get name | tr -d '"' | sed -r 's/(.*)/name=\1/' >> "$GITHUB_OUTPUT";
           pnpm pkg get version | tr -d '"' | sed -r 's/(.*)/version=\1/' >> "$GITHUB_OUTPUT";
           pnpm pkg get version | tr -d '"' | sed -r 's/([0-9]+\.[0-9]+).*/majorVersion=\1/' >> "$GITHUB_OUTPUT";
 
-        # --ignore-scripts is required for publishing devextreme-angular which fails with error:
-        # 'Trying to publish a package that has been compiled by Ivy in full compilation mode.'
-        # Should be removed.
-      - name: Publish to npm.pkg.github.com
-        working-directory: ${{ steps.scopedPackage.outputs.packageDir }}
+        # --ignore-scripts - like above, should be removed, check if could be removed everywhere
+      - name: Publish SBOM to npm.pkg.github.com
+        working-directory: ${{ steps.scopedSbomPackage.outputs.packageDir }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PACKAGE_NAME: ${{ steps.scopedPackage.outputs.name }}
-          PACKAGE_VERSION: ${{ steps.scopedPackage.outputs.version }}
-          PACKAGE_VERSION_MAJOR: ${{ steps.scopedPackage.outputs.majorVersion }}
+          PACKAGE_NAME: ${{ steps.scopedSbomPackage.outputs.name }}
+          PACKAGE_VERSION: ${{ steps.scopedSbomPackage.outputs.version }}
+          PACKAGE_VERSION_MAJOR: ${{ steps.scopedSbomPackage.outputs.majorVersion }}
         run: |
           pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
           pnpm publish --no-git-checks --quiet --ignore-scripts --tag $PACKAGE_VERSION_MAJOR-${{ inputs.tag }} --registry https://npm.pkg.github.com;