Generate SBOM for release

open-feature · Mar 13, 2024 · 42fa07a · 42fa07a
1 parent 3c00757
commit 42fa07a
Showing 1 changed file with 33 additions and 6 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
       - main
 
 jobs:
-  release-package:
+  release-please:
     runs-on: ubuntu-latest
 
     steps:
@@ -16,14 +16,21 @@ jobs:
           command: manifest
           token: ${{secrets.GITHUB_TOKEN}}
           default-branch: main
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      release_tag_name: ${{ steps.release.outputs.tag_name }}
 
+  release:
+    runs-on: ubuntu-latest
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+
+    steps:
       - uses: actions/checkout@v4
-        if: ${{ steps.release.outputs.releases_created }}
         with:
           fetch-depth: 0
 
       - name: Setup .NET SDK
-        if: ${{ steps.release.outputs.releases_created }}
         uses: actions/setup-dotnet@v4
         env:
           NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,13 +41,33 @@ jobs:
           source-url: https://nuget.pkg.github.com/open-feature/index.json
 
       - name: Install dependencies
-        if: ${{ steps.release.outputs.releases_created }}
         run: dotnet restore
 
       - name: Pack
-        if: ${{ steps.release.outputs.releases_created }}
         run: dotnet pack --no-restore
 
       - name: Publish to Nuget
-        if: ${{ steps.release.outputs.releases_created }}
         run: dotnet nuget push "src/**/*.nupkg" --api-key "${{ secrets.NUGET_TOKEN }}" --source https://api.nuget.org/v3/index.json
+
+  sbom:
+    runs-on: ubuntu-latest
+    needs: release-please
+    continue-on-error: true
+    if: ${{ needs.release-please.outputs.release_created }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install CycloneDX.NET
+        run: dotnet tool install CycloneDX
+
+      - name: Generate .NET BOM
+        run: dotnet CycloneDX --json --exclude-dev -sv "${{ needs.release-please.outputs.release_tag_name }}" ./src/OpenFeature/OpenFeature.csproj
+
+      - name: Attach SBOM to artifact
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run:
+          gh release upload ${{ needs.release-please.outputs.release_tag_name }} bom.json