From 296f89b7a15da248171b955178fedbffd5e830df Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Mon, 1 Jul 2024 12:15:32 +0200
Subject: [PATCH] feat: publish SBOMs

While clearly not perfect, I think we should start growing
towards publishing valid SBOMs for our artifacts, and
publishing these is a good first step in that direction.
---
 project/PekkoBuild.scala | 5 +++++
 project/plugins.sbt      | 1 +
 2 files changed, 6 insertions(+)

diff --git a/project/PekkoBuild.scala b/project/PekkoBuild.scala
index 820ec8ad272..b68a236009a 100644
--- a/project/PekkoBuild.scala
+++ b/project/PekkoBuild.scala
@@ -20,6 +20,7 @@ import sbt.Keys._
 import sbt._
 import sbtassembly.AssemblyPlugin.autoImport._
 import sbtwelcome.WelcomePlugin.autoImport._
+import _root_.io.github.siculo.sbtbom.BomSbtPlugin.autoImport.makeBom
 
 import java.io.FileInputStream
 import java.io.InputStreamReader
@@ -267,6 +268,10 @@ object PekkoBuild {
     mavenLocalResolverSettings,
     docLintingSettings,
     JdkOptions.targetJdkSettings,
+    // needed until https://github.com/siculo/sbt-bom/pull/57 has been merged
+    packagedArtifacts += {
+      Artifact(artifact.value.name, "cyclonedx", "xml") -> makeBom.value
+    },
     // a workaround for https://github.com/akka/akka/issues/27661
     // see also project/Protobuf.scala that introduces /../ to make "intellij happy"
     MultiJvm / assembly / fullClasspath := {
diff --git a/project/plugins.sbt b/project/plugins.sbt
index 711983dc995..b796edf2201 100644
--- a/project/plugins.sbt
+++ b/project/plugins.sbt
@@ -30,6 +30,7 @@ addSbtPlugin("com.github.pjfanning" % "sbt-pekko-build" % "0.3.3")
 addSbtPlugin("com.github.reibitto" % "sbt-welcome" % "0.4.0")
 addSbtPlugin("com.github.sbt" % "sbt-license-report" % "1.6.1")
 addSbtPlugin("io.github.roiocam" % "sbt-depend-walker" % "0.1.1")
+addSbtPlugin("io.github.siculo" % "sbt-bom" % "0.3.0")
 
 addSbtPlugin("org.apache.pekko" % "pekko-sbt-paradox" % "1.0.1")