From 6d79a9dd164a0826f3804a68b57992cd344869f6 Mon Sep 17 00:00:00 2001
From: Thomas Burkhalter <burkhalter@puzzle.ch>
Date: Thu, 8 Sep 2022 16:31:50 +0200
Subject: [PATCH] Add sbom github actions

---
 .github/workflows/build-on-push.yaml |  8 +++++++-
 .github/workflows/manual-build.yaml  |  2 +-
 .github/workflows/reusable-boms.yaml | 28 ++++++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/reusable-boms.yaml

diff --git a/.github/workflows/build-on-push.yaml b/.github/workflows/build-on-push.yaml
index 459f404..13f47d9 100644
--- a/.github/workflows/build-on-push.yaml
+++ b/.github/workflows/build-on-push.yaml
@@ -18,4 +18,10 @@ jobs:
     uses: ./.github/workflows/reusable-build.yaml
     secrets:
       PUZZLE_REGISTRY_USERNAME: ${{ secrets.PUZZLE_REGISTRY_USERNAME }}
-      PUZZLE_REGISTRY_TOKEN: ${{ secrets.PUZZLE_REGISTRY_TOKEN }}
\ No newline at end of file
+      PUZZLE_REGISTRY_TOKEN: ${{ secrets.PUZZLE_REGISTRY_TOKEN }}
+  bom:
+    needs: build
+    uses: ./.github/workflows/reusable-boms.yaml
+    secrets:
+      PUZZLE_DEP_TRACK_URL: ${{ secrets.PUZZLE_DEP_TRACK_URL}}
+      PUZZLE_DEP_TRACK_TOKEN: ${{ secrets.PUZZLE_DEP_TRACK_TOKEN }}
diff --git a/.github/workflows/manual-build.yaml b/.github/workflows/manual-build.yaml
index 515f959..c9a702b 100644
--- a/.github/workflows/manual-build.yaml
+++ b/.github/workflows/manual-build.yaml
@@ -9,4 +9,4 @@ jobs:
     uses: ./.github/workflows/reusable-build.yaml
     secrets:
       username: ${{ secrets.PUZZLE_REGISTRY_USERNAME }}
-      password: ${{ secrets.PUZZLE_REGISTRY_TOKEN }}
\ No newline at end of file
+      password: ${{ secrets.PUZZLE_REGISTRY_TOKEN }}
diff --git a/.github/workflows/reusable-boms.yaml b/.github/workflows/reusable-boms.yaml
new file mode 100644
index 0000000..fbd9089
--- /dev/null
+++ b/.github/workflows/reusable-boms.yaml
@@ -0,0 +1,28 @@
+
+name: 'Reusable: Build BOM for dependency tracker'
+
+on:
+  workflow_call:
+    secrets:
+      PUZZLE_DEP_TRACK_URL:
+        description: 'Needed for the dep track push'
+        required: false
+      PUZZLE_DEP_TRACK_TOKEN:
+        description: 'Needed for the dep track push'
+        required: false
+
+jobs:
+  build:
+    environment: deploy
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: generate-bom
+        run: |-
+          npm install -g @appthreat/cdxgen && \
+          mkdir ./reports && \
+          cdxgen -o ./reports/bom.xml -r ./ && \
+          cdxgen --server-url ${{ secrets.PUZZLE_DEP_TRACK_URL }} \
+                 --api-key ${{ secrets.PUZZLE_DEP_TRACK_TOKEN }} \
+                 --project-name $GITHUB_REPOSITORY \
+                 --project-version $GITHUB_REF \
+                 --recurse ./