Add validate-sbom action

[mpreyskurantov]

Adds a shared GitHub Action for validating CycloneDX SBOM files in CI.

The action downloads a pinned CycloneDX CLI binary, verifies its SHA-256 checksum, and runs cyclonedx validate --fail-on-errors against one or more provided SBOM files. It supports validating a single file via input-file or multiple files via input-files, where paths may be separated by newlines, commas, or semicolons.

The action runs on Node 24, uses CycloneDX CLI 0.32.0, and selects the correct binary based on RUNNER_OS. If RUNNER_OS is missing, it defaults to Linux. Unsupported runner OS values fail explicitly with a clear error.

Usage

- name: Validate SBOM
  uses: DevExpress/github-actions/validate-sbom@main
  with:
    input-format: json
    input-file: sbom.cdx.json

Multiple files:

- name: Validate SBOM files
  uses: DevExpress/github-actions/validate-sbom@main
  with:
    input-format: json
    input-files: |
      package-a/sbom.cdx.json
      package-b/sbom.cdx.json
      package-c/sbom.cdx.json

Inputs

• input-format
  SBOM file format passed to CycloneDX CLI. Defaults to json.

• input-file
  Path to a single SBOM file to validate.

• input-files
  Newline, comma, or semicolon separated paths to SBOM files.

At least one of input-file or input-files must be provided.

Failure Conditions

The action fails when no SBOM file is provided, the runner OS is unsupported, the CycloneDX CLI download or checksum verification fails, or CycloneDX reports validation errors for any SBOM file.

[Copilot]

Pull request overview

Adds a new reusable GitHub Action (validate-sbom) to validate CycloneDX SBOM files in CI using a pinned CycloneDX CLI download with SHA-256 verification, plus a shared splitPaths helper for parsing multi-file inputs.

Changes:

• Introduces validate-sbom action (Node 24) that downloads CycloneDX CLI v0.32.0, verifies checksum, and runs cyclonedx validate --fail-on-errors on one or more SBOM files.
• Adds splitPaths() to common and updates bundled dist outputs of existing actions to include the new export.
• Registers the new workspace package and updates the lockfile.

Reviewed changes

Copilot reviewed 7 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
verify-version-change/dist/index.js	Re-bundled output to include splitPaths export from common.
pr-filter/dist/index.js	Re-bundled output to include splitPaths export from common.
get-changed-files/dist/index.js	Re-bundled output to include splitPaths export from common.
common/src/path-utils.ts	Adds splitPaths() helper to parse newline/comma/semicolon-separated path lists.
common/src/path-utils.test.ts	Adds unit tests covering splitPaths() parsing behavior.
validate-sbom/src/main.ts	Implements the SBOM validation action logic (download CLI, checksum verify, validate files).
validate-sbom/action.yml	Declares action inputs and runs via node24 using dist/index.js.
validate-sbom/package.json	Adds package metadata and build scripts/dependencies for the new action.
validate-sbom/tsconfig.json	TypeScript configuration for the new action package.
pnpm-workspace.yaml	Adds validate-sbom to the workspace packages.
pnpm-lock.yaml	Adds lock entries for validate-sbom dependencies.

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.