Generate SBOMs and attach them to the release

alexiri · alexiri · commit 2f551aaa5ae9 · 2025-09-20T21:51:50.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -80,25 +80,34 @@ jobs:
 
     steps:
       - name: Fetch Changelogs
+        id: download-changelogs
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v4
         with:
           pattern: changelog-*
           merge-multiple: true
           path: /tmp/changelogs
 
+      - name: Fetch SBOMs
+        id: download-sbom
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v4
+        with:
+          pattern: "*.spdx.json"
+          merge-multiple: true
+          path: /tmp/sboms
+
       - name: Prepare Release
         id: prepare-release
         shell: bash
         run: |
-          if [[ ! -d /tmp/changelogs ]]; then
+          if [[ ! -d ${{ steps.download-changelogs.outputs.download-path }} ]]; then
             echo "No changelogs found, skipping release creation"
             echo "skip=1" >> "$GITHUB_ENV"
             exit
           fi
 
           echo "Automated release for version \`${{ needs.build-test-promote.outputs.version }}\`." > ./changelog.md
 
-          for changelog in /tmp/changelogs/*.txt; do
+          for changelog in ${{ steps.download-changelogs.outputs.download-path }}/*.txt; do
             # Remove empty Package Changes
             sed -i '/^#### Package Changes$/{
             N
@@ -127,3 +136,4 @@ jobs:
           tag_name: ${{ needs.build-test-promote.outputs.version }}
           body_path: ./changelog.md
           make_latest: true
+          files: "${{ steps.download-sbom.outputs.download-path }}/*.spdx.json"
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -110,7 +110,7 @@ jobs:
             - ${{ inputs.variant == 'gnome' && 'GNOME: <version:gdm>' || 'KDE: <version:plasma-desktop>' }}:
       KMS_KEY_ALIAS: ${{ inputs.KMS_KEY_ALIAS }}
       AWS_REGION: ${{ inputs.AWS_REGION }}
-      generate-sbom: false
+      generate-sbom: true
     secrets:
       REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
       SIGNING_SECRET: ${{ secrets.SIGNING_SECRET }}
