.github/workflows/generate-sbom.yml

name: Generate and ingest SBOM into sbom.eclipse.org

on:
  push:
    branches: [main]
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      version:
        description: 'Version'
        default: 'main'
        required: true

env:
  PYTHON_VERSION: '3.12'
  POETRY_VERSION: '2.0.1'

permissions:
  contents: read

jobs:
  generate-sbom:
    runs-on: ubuntu-latest
    outputs:
      project-version: ${{ steps.export.outputs.PROJECT_VERSION }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
          fetch-depth: 0
          ref: ${{ github.event.inputs.version }}
      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
        with:
          virtualenvs-in-project: true
          version: ${{ env.POETRY_VERSION }}
      - name: Install cyclonedx-py
        run: pipx install cyclonedx-bom==5.1.1
      - name: "Get project version and export requirements"
        id: export
        shell: bash
        run: |
          poetry install
          poetry export --only=main,app -o requirements.txt
          VERSION=$(poetry version -s | sed 's/.dev[0-9]*/.dev/')
          echo "PROJECT_VERSION=$VERSION" >> $GITHUB_OUTPUT
      - name: Generate sbom
        run: cyclonedx-py requirements -o otterdog-bom.json
      - name: Upload sbom
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: sbom
          path: otterdog-bom.json

  store-sbom-data: # stores sbom and metadata in a predefined format for otterdog to pick up
    needs: ['generate-sbom']
    uses: eclipse-csi/workflows/.github/workflows/store-sbom-data.yml@main
    with:
      projectName: 'otterdog'
      projectVersion: ${{ needs.generate-sbom.outputs.project-version }}
      bomArtifact: 'sbom'
      bomFilename: 'otterdog-bom.json'
      parentProject: 'caa07057-876a-44f9-b162-d2c0684e5dc5'