DevExpress · mpreyskurantov · May 25, 2026 · Jun 3, 2026 · Jun 4, 2026
@@ -17,6 +17,8 @@ on:
 env:
   NX_CLOUD_ACCESS_TOKEN: ${{ github.ref_name == github.event.repository.default_branch && secrets.NX_CLOUD_ACCESS_TOKEN || '' }}
   NX_SKIP_NX_CACHE: ${{ contains(github.event.pull_request.labels.*.name, 'skip-cache') && 'true' || 'false' }}
+  CYCLONEDX_CLI_VERSION: 0.32.0
+  CYCLONEDX_CLI_LINUX_X64_SHA256: 454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1
 
 jobs:
   build:
@@ -70,7 +72,35 @@ jobs:
           pnpm set //npm.pkg.github.com/:_authToken="$NODE_AUTH_TOKEN";
           pnpm nx build sbom;
 
-      - name: Upload SBOM artifacts
+      - name: Install CycloneDX CLI
+        if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
+        shell: bash
+        run: |
+          tool_dir="$RUNNER_TEMP/cyclonedx-cli"
+          mkdir -p "$tool_dir"
+          curl -fsSL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${{ env.CYCLONEDX_CLI_VERSION }}/cyclonedx-linux-x64" -o "$tool_dir/cyclonedx"
+          echo "${{ env.CYCLONEDX_CLI_LINUX_X64_SHA256 }}  $tool_dir/cyclonedx" | sha256sum -c -
+          chmod +x "$tool_dir/cyclonedx"
+          echo "$tool_dir" >> "$GITHUB_PATH"
+
+      - name: Validate SBOMs
+        if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
+        shell: bash
+        run: |
+          shopt -s nullglob
+          sbom_files=(packages/sbom/dist/*.sbom.json)
+
+          if [ ${#sbom_files[@]} -eq 0 ]; then
+            echo "No SBOM files found in packages/sbom/dist"
+            exit 1
+          fi
+
+          for file in "${sbom_files[@]}"; do
+            echo "Validating $file"
+            cyclonedx validate --input-file "$file" --input-format json --fail-on-errors
+          done
+
+      - name: Upload SBOMs
         if: ${{ github.event_name == 'push' || github.event.inputs.SBOM == 'true' }}
         uses: actions/upload-artifact@v7
         with:

@@ -20,6 +20,8 @@ env:
   NX_SKIP_NX_CACHE: true
   FILTER: ${{ github.event_name == 'workflow_dispatch' && inputs.filter || '' }}
   SET_TIMESTAMP_VERSION:  ${{ inputs.tag == 'daily' }}
+  CYCLONEDX_CLI_VERSION: 0.32.0
+  CYCLONEDX_CLI_WIN_X64_SHA256: b1c00dbb40e628ec8c1252771871341ac4d4aaf032f832d83bd22cb2b1d258ae
 
 jobs:
   build:
@@ -81,10 +83,36 @@ jobs:
           pnpm set "//npm.pkg.github.com/:_authToken" "$env:NODE_AUTH_TOKEN"
           pnpm nx build sbom;
 
+      - name: Install CycloneDX CLI
+        shell: bash
+        run: |
+          tool_dir="$RUNNER_TEMP/cyclonedx-cli"
+          mkdir -p "$tool_dir"
+          curl -fsSL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${{ env.CYCLONEDX_CLI_VERSION }}/cyclonedx-win-x64.exe" -o "$tool_dir/cyclonedx.exe"
+          echo "${{ env.CYCLONEDX_CLI_WIN_X64_SHA256 }}  $tool_dir/cyclonedx.exe" | sha256sum -c -
+          chmod +x "$tool_dir/cyclonedx.exe" || true
+          echo "$tool_dir" >> "$GITHUB_PATH"
+
+      - name: Validate SBOMs
+        shell: bash
+        run: |
+          shopt -s nullglob
+          sbom_files=(packages/sbom/dist/*.sbom.json)
+
+          if [ ${#sbom_files[@]} -eq 0 ]; then
+            echo "No SBOM files found in packages/sbom/dist"
+            exit 1
+          fi
+
+          for file in "${sbom_files[@]}"; do
+            echo "Validating $file"
+            cyclonedx validate --input-file "$file" --input-format json --fail-on-errors
+          done
+
       - name: Build artifacts package
         run: pnpm run make-artifacts-package
 
-      - name: Upload SBOM artifact
+      - name: Upload SBOMs
         uses: actions/upload-artifact@v7
         with:
           name: sbom