From 3adeaede4e00ffb452d814fc24a2325aec875f2d Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 17:14:57 +0800
Subject: [PATCH] chore: add SBOM generation and release attestation

---
 .github/workflows/release.yaml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 21f08e8d..34c0759f 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,7 +3,7 @@ name: Release CLI
 on:
   push:
     tags:
-      - 'v*.*.*'
+    - 'v*.*.*'
 
 jobs:
   release:
@@ -29,9 +29,23 @@ jobs:
         # create the archived versions and remove anything not required for the release
         rm ./builds/README.md ./builds/release_template.md
         for BUILD in $(ls builds); do tar --transform="flags=r;s|${BUILD}|lagoon|" -czf builds/${BUILD}.tar.gz -C builds ${BUILD}; done
+    - name: Generate SBOM from Github API
+      uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
+      id: sbom
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Move SBOM to avoid dirty git
+      run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json
+      env:
+        GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }}
     - name: Create GitHub Release
       uses: softprops/action-gh-release@v1
       if: startsWith(github.ref, 'refs/tags/')
       with:
         files: |
-          builds/*
\ No newline at end of file
+          builds/*
+          sbom.spdx.json
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+      with:
+        subject-path: "builds/*"