Merge pull request #1031 from Cosmo-Tech/DSE/platform_dependencies_PROD-14600

sellisd · web-flow · commit 27072fadbb65 · 2025-08-05T11:47:49.000+02:00
Dse/platform dependencies prod 14600
diff --git a/.github/workflows/track_dependencies.yml b/.github/workflows/track_dependencies.yml
@@ -0,0 +1,34 @@
+name: Track Dependencies
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - 'release/**'
+      - 'DSE/platform_dependencies_PROD-14600' # for debugging during development
+
+jobs:
+  dependency_track:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '23'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4.4.1
+        with:
+          cache-disabled: true
+      - name: Track dependencies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./gradlew cyclonedxBom
+      - name: Upload CycloneDX BOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: cosmotech-api-bom
+          path: build/reports/cosmotech-api-bom.xml
+          overwrite: true
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -46,6 +46,7 @@ plugins {
   id("io.gitlab.arturbosch.detekt") version "1.23.8"
   id("org.openapi.generator") version "7.13.0" apply false
   id("com.google.cloud.tools.jib") version "3.4.5" apply false
+  id("org.cyclonedx.bom") version "2.3.1"
 }
 
 scmVersion { tag { prefix.set("") } }
@@ -114,6 +115,7 @@ allprojects {
   apply(plugin = "io.gitlab.arturbosch.detekt")
   apply(plugin = "project-report")
   apply(plugin = "org.owasp.dependencycheck")
+  apply(plugin = "org.cyclonedx.bom")
 
   version = rootProject.scmVersion.version ?: error("Root project did not configure scmVersion!")
 
@@ -145,6 +147,13 @@ allprojects {
     mavenCentral()
   }
 
+  tasks.cyclonedxBom {
+    includeConfigs = listOf("runtimeClasspath")
+    outputFormat = "xml" // by default it would also generate json
+    projectType = "application"
+    outputName = "cosmotech-api-bom"
+  }
+
   tasks.withType<HtmlDependencyReportTask>().configureEach { projects = project.allprojects }
 
   configure<SpotlessExtension> {
