SBOM

ci: bootstrap signed 30-day evaluation licenses for licensed jobs #32

	# SPDX-License-Identifier: AGPL-3.0-or-later
	# CycloneDX SBOM generation via anchore/syft
	# Gap T-2: US Executive Order 14028, EU Cyber Resilience Act (CRA) compliance
	name: SBOM

	on:
	push:
	branches: [ main ]
	tags: [ 'v*' ]
	pull_request:
	branches: [ main ]

	permissions:
	contents: write

	jobs:
	sbom:
	name: Generate CycloneDX SBOM
	runs-on: ubuntu-24.04

	steps:
	- uses: actions/checkout@v6

	- name: Generate SBOM (CycloneDX JSON)
	uses: anchore/sbom-action@v0
	with:
	path: .
	format: cyclonedx-json
	output-file: signet-forge-sbom.cdx.json
	artifact-name: signet-forge-sbom

	- name: Generate SBOM (SPDX JSON)
	uses: anchore/sbom-action@v0
	with:
	path: .
	format: spdx-json
	output-file: signet-forge-sbom.spdx.json
	artifact-name: signet-forge-sbom-spdx

	- name: Upload SBOMs as release assets
	if: startsWith(github.ref, 'refs/tags/')
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	signet-forge-sbom.cdx.json
	signet-forge-sbom.spdx.json

	- name: Upload SBOM artifacts (non-release)
	if: "!startsWith(github.ref, 'refs/tags/')"
	uses: actions/upload-artifact@v7
	with:
	name: sbom
	path: \|
	signet-forge-sbom.cdx.json
	signet-forge-sbom.spdx.json
	retention-days: 90

Provide feedback