From 9670e447573c1aae1cc43af454253edbeef11ef1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28puerco=29?=
 <puerco@stacklok.com>
Date: Wed, 24 Jul 2024 10:40:13 -0600
Subject: [PATCH] Add SBOM generation to releases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit adds an SBOM generation JOB to the repo releases

Signed-off-by: Adolfo García Veytia (puerco) <puerco@stacklok.com>
---
 .bom.yaml                      |  5 ++++
 .github/workflows/release.yaml | 42 ++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 .bom.yaml
 create mode 100644 .github/workflows/release.yaml

diff --git a/.bom.yaml b/.bom.yaml
new file mode 100644
index 0000000..4cff5ba
--- /dev/null
+++ b/.bom.yaml
@@ -0,0 +1,5 @@
+---
+license: Apache-2.0
+name: sigs.k8s.io/release-utils
+creator:
+  person: The Kubernetes Authors
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000..fa9c6e8
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,42 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # needed to write releases 
+
+    steps:
+      - name: Set tag name
+        shell: bash
+        run: |
+          echo "TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+      - name: Check out code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 1
+      - name: Set up go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v3
+        with:
+          go-version-file: go.mod
+          check-latest: true  
+          cache: false
+      - name: Install bom
+        uses: kubernetes-sigs/release-actions/setup-bom@2f8b9ec22aedc9ce15039b6c7716aa6c2907df1c # v0.2.0
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          bom generate -c .bom.yaml --format=json -o /tmp/sigs.k8s.io-release-utils-$TAG.spdx.json .
+      - name: Publish Release
+        uses: kubernetes-sigs/release-actions/publish-release@2f8b9ec22aedc9ce15039b6c7716aa6c2907df1c # v0.2.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          assets: "/tmp/sigs.k8s.io-release-utils-$TAG.spdx.json"
+          sbom: false