src/features/sbom.ts

import * as c from '../constants'
import * as core from '@actions/core'
import * as fs from 'fs'
import * as github from '@actions/github'
import * as glob from '@actions/glob'
import { basename } from 'path'
import * as semver from 'semver'
import { setNativeImageOption } from '../utils'

const INPUT_NI_SBOM = 'native-image-enable-sbom'
const SBOM_FILE_SUFFIX = '.sbom.json'
const MIN_JAVA_VERSION = '24.0.0'
const javaVersionKey = 'javaVersionKey'

interface SBOM {
  components: Component[]
  dependencies: Dependency[]
}

interface Component {
  name: string
  version?: string
  purl?: string
  dependencies?: string[]
  'bom-ref': string
}

interface Dependency {
  ref: string
  dependsOn: string[]
}

interface DependencySnapshot {
  version: number
  sha: string
  ref: string
  job: {
    correlator: string
    id: string
    html_url?: string
  }
  detector: {
    name: string
    version: string
    url: string
  }
  scanned: string
  manifests: Record<
    string,
    {
      name: string
      metadata?: Record<string, string>
      // Not including the 'file' property because we cannot specify any reasonable value for 'source_location'
      // since the SBOM will not necessarily be saved in the repository of the user.
      // GitHub docs: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
      resolved: Record<
        string,
        {
          package_url: string
          relationship?: 'direct'
          scope?: 'runtime'
          dependencies?: string[]
        }
      >
    }
  >
}

export function setUpSBOMSupport(javaVersion: string, distribution: string): void {
  if (!isFeatureEnabled()) {
    return
  }

  validateJavaVersionAndDistribution(javaVersion, distribution)
  core.saveState(javaVersionKey, javaVersion)
  setNativeImageOption(javaVersion, '--enable-sbom=export')
  core.info('Enabled SBOM generation for Native Image build')
}

function validateJavaVersionAndDistribution(javaVersion: string, distribution: string): void {
  if (distribution !== c.DISTRIBUTION_GRAALVM) {
    throw new Error(
      `The '${INPUT_NI_SBOM}' option is only supported for Oracle GraalVM (distribution '${c.DISTRIBUTION_GRAALVM}'), but found distribution '${distribution}'.`
    )
  }

  if (javaVersion === 'dev') {
    throw new Error(`The '${INPUT_NI_SBOM}' option is not supported for java-version 'dev'.`)
  }

  if (javaVersion === 'latest-ea') {
    return
  }

  const coercedJavaVersion = semver.coerce(javaVersion)
  if (!coercedJavaVersion || semver.gt(MIN_JAVA_VERSION, coercedJavaVersion)) {
    throw new Error(
      `The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersion}'.`
    )
  }
}

export async function processSBOM(): Promise<void> {
  if (!isFeatureEnabled()) {
    return
  }

  const javaVersion = core.getState(javaVersionKey)
  if (!javaVersion) {
    throw new Error('setUpSBOMSupport must be called before processSBOM')
  }

  const sbomPath = await findSBOMFilePath()
  try {
    const sbomContent = fs.readFileSync(sbomPath, 'utf8')
    const sbomData = parseSBOM(sbomContent)
    const components = mapToComponentsWithDependencies(sbomData)
    printSBOMContent(components)
    const snapshot = convertSBOMToSnapshot(javaVersion, sbomPath, components)
    await submitDependencySnapshot(snapshot)
  } catch (error) {
    throw new Error(
      `Failed to process and submit SBOM to the GitHub dependency submission API: ${error instanceof Error ? error.message : String(error)}`
    )
  }
}

function isFeatureEnabled(): boolean {
  return core.getInput(INPUT_NI_SBOM) === 'true'
}

async function findSBOMFilePath(): Promise<string> {
  const globber = await glob.create(`**/*${SBOM_FILE_SUFFIX}`)
  const sbomFiles = await globber.glob()

  if (sbomFiles.length === 0) {
    throw new Error('No SBOM found. Make sure native-image build completed successfully.')
  }

  if (sbomFiles.length > 1) {
    throw new Error(`Expected one SBOM but found multiple: ${sbomFiles.join(', ')}.`)
  }

  core.info(`Found SBOM: ${sbomFiles[0]}`)
  return sbomFiles[0]
}

function parseSBOM(jsonString: string): SBOM {
  try {
    const sbomData: SBOM = JSON.parse(jsonString)
    return sbomData
  } catch (error) {
    throw new Error(`Failed to parse SBOM JSON: ${error instanceof Error ? error.message : String(error)}`)
  }
}

// Maps the SBOM to a list of components with their dependencies
function mapToComponentsWithDependencies(sbom: SBOM): Component[] {
  if (!sbom || sbom.components.length === 0) {
    throw new Error('Invalid SBOM data or no components found.')
  }

  return sbom.components.map((component: Component) => {
    const dependencies = sbom.dependencies?.find((dep: Dependency) => dep.ref === component['bom-ref'])?.dependsOn || []

    return {
      name: component.name,
      version: component.version,
      purl: component.purl,
      dependencies,
      'bom-ref': component['bom-ref']
    }
  })
}

function printSBOMContent(components: Component[]): void {
  core.info('=== SBOM Content ===')
  for (const component of components) {
    core.info(`- ${component['bom-ref']}`)
    if (component.dependencies && component.dependencies.length > 0) {
      core.info(`   depends on: ${component.dependencies.join(', ')}`)
    }
  }
  core.info('==================')
}

function convertSBOMToSnapshot(javaVersion: string, sbomPath: string, components: Component[]): DependencySnapshot {
  const context = github.context
  const sbomFileName = basename(sbomPath)

  if (!sbomFileName.endsWith(SBOM_FILE_SUFFIX)) {
    throw new Error(`Invalid SBOM file name: ${sbomFileName}. Expected a file ending with ${SBOM_FILE_SUFFIX}.`)
  }

  return {
    version: 0,
    sha: context.sha,
    ref: context.ref,
    job: {
      correlator: `${context.workflow}_${context.job}`,
      id: context.runId.toString(),
      html_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
    },
    detector: {
      name: 'Oracle GraalVM',
      version: javaVersion,
      url: 'https://www.graalvm.org/'
    },
    scanned: new Date().toISOString(),
    manifests: {
      [sbomFileName]: {
        name: sbomFileName,
        resolved: mapComponentsToGithubAPIFormat(components),
        metadata: {
          generated_by: 'SBOM generated by GraalVM Native Image',
          action_version: c.ACTION_VERSION
        }
      }
    }
  }
}

function mapComponentsToGithubAPIFormat(
  components: Component[]
): Record<string, { package_url: string; dependencies?: string[] }> {
  return Object.fromEntries(
    components
      .filter((component) => {
        if (!component.purl) {
          core.info(`Component ${component.name} does not have a valid package URL (purl). Skipping.`)
        }
        return component.purl
      })
      .map((component) => [
        component.name,
        {
          package_url: component.purl as string,
          dependencies: component.dependencies || []
        }
      ])
  )
}

async function submitDependencySnapshot(snapshotData: DependencySnapshot): Promise<void> {
  const token = core.getInput(c.INPUT_GITHUB_TOKEN, { required: true })
  const octokit = github.getOctokit(token)
  const context = github.context

  try {
    await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', {
      owner: context.repo.owner,
      repo: context.repo.repo,
      version: snapshotData.version,
      sha: snapshotData.sha,
      ref: snapshotData.ref,
      job: snapshotData.job,
      detector: snapshotData.detector,
      metadata: {},
      scanned: snapshotData.scanned,
      manifests: snapshotData.manifests,
      headers: {
        'X-GitHub-Api-Version': '2022-11-28'
      }
    })
    core.info('Dependency snapshot submitted successfully.')
  } catch (error) {
    throw new Error(
      `Failed to submit dependency snapshot for SBOM: ${error instanceof Error ? error.message : String(error)}`
    )
  }
}
Convert back to CJS and use ncc. 2025-02-12 20:42:16 +01:00			`import * as c from '../constants'`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`import * as core from '@actions/core'`
			`import * as fs from 'fs'`
			`import * as github from '@actions/github'`
			`import * as glob from '@actions/glob'`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`import { basename } from 'path'`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`import * as semver from 'semver'`
Convert back to CJS and use ncc. 2025-02-12 20:42:16 +01:00			`import { setNativeImageOption } from '../utils'`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00
			`const INPUT_NI_SBOM = 'native-image-enable-sbom'`
			`const SBOM_FILE_SUFFIX = '.sbom.json'`
			`const MIN_JAVA_VERSION = '24.0.0'`
SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`const javaVersionKey = 'javaVersionKey'`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00
			`interface SBOM {`
			`components: Component[]`
			`dependencies: Dependency[]`
			`}`

			`interface Component {`
			`name: string`
			`version?: string`
			`purl?: string`
			`dependencies?: string[]`
			`'bom-ref': string`
			`}`

			`interface Dependency {`
			`ref: string`
			`dependsOn: string[]`
			`}`

			`interface DependencySnapshot {`
			`version: number`
			`sha: string`
			`ref: string`
			`job: {`
			`correlator: string`
			`id: string`
			`html_url?: string`
			`}`
			`detector: {`
			`name: string`
			`version: string`
			`url: string`
			`}`
			`scanned: string`
			`manifests: Record<`
			`string,`
			`{`
			`name: string`
			`metadata?: Record<string, string>`
			`// Not including the 'file' property because we cannot specify any reasonable value for 'source_location'`
			`// since the SBOM will not necessarily be saved in the repository of the user.`
			`// GitHub docs: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository`
			`resolved: Record<`
			`string,`
			`{`
			`package_url: string`
			`relationship?: 'direct'`
			`scope?: 'runtime'`
			`dependencies?: string[]`
			`}`
			`>`
			`}`
			`>`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`export function setUpSBOMSupport(javaVersion: string, distribution: string): void {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`if (!isFeatureEnabled()) {`
			`return`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`validateJavaVersionAndDistribution(javaVersion, distribution)`
			`core.saveState(javaVersionKey, javaVersion)`
			`setNativeImageOption(javaVersion, '--enable-sbom=export')`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`core.info('Enabled SBOM generation for Native Image build')`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`function validateJavaVersionAndDistribution(javaVersion: string, distribution: string): void {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`if (distribution !== c.DISTRIBUTION_GRAALVM) {`
			`throw new Error(`
			`The '${INPUT_NI_SBOM}' option is only supported for Oracle GraalVM (distribution '${c.DISTRIBUTION_GRAALVM}'), but found distribution '${distribution}'.`
			`)`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`if (javaVersion === 'dev') {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			throw new Error(`The '${INPUT_NI_SBOM}' option is not supported for java-version 'dev'.`)
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`if (javaVersion === 'latest-ea') {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`return`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`const coercedJavaVersion = semver.coerce(javaVersion)`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`if (!coercedJavaVersion \|\| semver.gt(MIN_JAVA_VERSION, coercedJavaVersion)) {`
			`throw new Error(`
SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersion}'.`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`)`
			`}`
			`}`

			`export async function processSBOM(): Promise<void> {`
			`if (!isFeatureEnabled()) {`
			`return`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`const javaVersion = core.getState(javaVersionKey)`
			`if (!javaVersion) {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`throw new Error('setUpSBOMSupport must be called before processSBOM')`
			`}`

			`const sbomPath = await findSBOMFilePath()`
			`try {`
			`const sbomContent = fs.readFileSync(sbomPath, 'utf8')`
			`const sbomData = parseSBOM(sbomContent)`
			`const components = mapToComponentsWithDependencies(sbomData)`
			`printSBOMContent(components)`
SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`const snapshot = convertSBOMToSnapshot(javaVersion, sbomPath, components)`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`await submitDependencySnapshot(snapshot)`
			`} catch (error) {`
			`throw new Error(`
			`Failed to process and submit SBOM to the GitHub dependency submission API: ${error instanceof Error ? error.message : String(error)}`
			`)`
			`}`
			`}`

			`function isFeatureEnabled(): boolean {`
			`return core.getInput(INPUT_NI_SBOM) === 'true'`
			`}`

			`async function findSBOMFilePath(): Promise<string> {`
			const globber = await glob.create(`*/${SBOM_FILE_SUFFIX}`)
			`const sbomFiles = await globber.glob()`

			`if (sbomFiles.length === 0) {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`throw new Error('No SBOM found. Make sure native-image build completed successfully.')`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`

			`if (sbomFiles.length > 1) {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			throw new Error(`Expected one SBOM but found multiple: ${sbomFiles.join(', ')}.`)
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`

			core.info(`Found SBOM: ${sbomFiles[0]}`)
			`return sbomFiles[0]`
			`}`

			`function parseSBOM(jsonString: string): SBOM {`
			`try {`
			`const sbomData: SBOM = JSON.parse(jsonString)`
			`return sbomData`
			`} catch (error) {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			throw new Error(`Failed to parse SBOM JSON: ${error instanceof Error ? error.message : String(error)}`)
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`
			`}`

			`// Maps the SBOM to a list of components with their dependencies`
			`function mapToComponentsWithDependencies(sbom: SBOM): Component[] {`
			`if (!sbom \|\| sbom.components.length === 0) {`
			`throw new Error('Invalid SBOM data or no components found.')`
			`}`

			`return sbom.components.map((component: Component) => {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`const dependencies = sbom.dependencies?.find((dep: Dependency) => dep.ref === component['bom-ref'])?.dependsOn \|\| []`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00
			`return {`
			`name: component.name,`
			`version: component.version,`
			`purl: component.purl,`
			`dependencies,`
			`'bom-ref': component['bom-ref']`
			`}`
			`})`
			`}`

			`function printSBOMContent(components: Component[]): void {`
			`core.info('=== SBOM Content ===')`
			`for (const component of components) {`
			core.info(`- ${component['bom-ref']}`)
			`if (component.dependencies && component.dependencies.length > 0) {`
			core.info(` depends on: ${component.dependencies.join(', ')}`)
			`}`
			`}`
			`core.info('==================')`
			`}`

SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`function convertSBOMToSnapshot(javaVersion: string, sbomPath: string, components: Component[]): DependencySnapshot {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`const context = github.context`
			`const sbomFileName = basename(sbomPath)`

			`if (!sbomFileName.endsWith(SBOM_FILE_SUFFIX)) {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			throw new Error(`Invalid SBOM file name: ${sbomFileName}. Expected a file ending with ${SBOM_FILE_SUFFIX}.`)
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`

			`return {`
			`version: 0,`
			`sha: context.sha,`
			`ref: context.ref,`
			`job: {`
			correlator: `${context.workflow}_${context.job}`,
			`id: context.runId.toString(),`
			html_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
			`},`
			`detector: {`
			`name: 'Oracle GraalVM',`
SBOM: Ensure 'java-version' is persisted to post-run phase 2025-03-03 11:00:17 +01:00			`version: javaVersion,`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`url: 'https://www.graalvm.org/'`
			`},`
			`scanned: new Date().toISOString(),`
			`manifests: {`
			`[sbomFileName]: {`
			`name: sbomFileName,`
			`resolved: mapComponentsToGithubAPIFormat(components),`
			`metadata: {`
			`generated_by: 'SBOM generated by GraalVM Native Image',`
			`action_version: c.ACTION_VERSION`
			`}`
			`}`
			`}`
			`}`
			`}`

			`function mapComponentsToGithubAPIFormat(`
			`components: Component[]`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`): Record<string, { package_url: string; dependencies?: string[] }> {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`return Object.fromEntries(`
			`components`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`.filter((component) => {`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`if (!component.purl) {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			core.info(`Component ${component.name} does not have a valid package URL (purl). Skipping.`)
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`
			`return component.purl`
			`})`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`.map((component) => [`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`component.name,`
			`{`
			`package_url: component.purl as string,`
			`dependencies: component.dependencies \|\| []`
			`}`
			`])`
			`)`
			`}`

Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`async function submitDependencySnapshot(snapshotData: DependencySnapshot): Promise<void> {`
			`const token = core.getInput(c.INPUT_GITHUB_TOKEN, { required: true })`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`const octokit = github.getOctokit(token)`
			`const context = github.context`

			`try {`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', {`
			`owner: context.repo.owner,`
			`repo: context.repo.repo,`
			`version: snapshotData.version,`
			`sha: snapshotData.sha,`
			`ref: snapshotData.ref,`
			`job: snapshotData.job,`
			`detector: snapshotData.detector,`
			`metadata: {},`
			`scanned: snapshotData.scanned,`
			`manifests: snapshotData.manifests,`
			`headers: {`
			`'X-GitHub-Api-Version': '2022-11-28'`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`}`
Adjust printWidth to 120. 2025-02-10 09:16:33 +01:00			`})`
Integrate Native Image SBOM with GitHub's Dependency Submission API (#119) Co-authored-by: Fabio Niephaus <fabio.niephaus@oracle.com> 2025-01-21 09:00:42 +01:00			`core.info('Dependency snapshot submitted successfully.')`
			`} catch (error) {`
			`throw new Error(`
			`Failed to submit dependency snapshot for SBOM: ${error instanceof Error ? error.message : String(error)}`
			`)`
			`}`
			`}`