[DOP-25348] Generate SBOM on release

Author: dolfinus

.github/workflows/release.yml

@@ -18,6 +18,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'MobileTeleSystems/syncmaster-ui' # prevent running on forks
 
+    permissions:
+      contents: write # to create Github release
+
     steps:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -42,6 +45,8 @@ jobs:
         run: |
           version=$(node -p "require('./package.json').version")
           echo "VERSION=${version}" >> $GITHUB_ENV
+          current_dt=$(date -u +"%Y-%m-%d")
+          echo "NAME=${version} (${current_dt})" >> $GITHUB_ENV
 
       - name: Docker meta
         id: meta
@@ -72,6 +77,7 @@ jobs:
             linux/amd64
             linux/arm64/v8
           provenance: mode=max
+          sbom: true
 
       - name: Update DockerHub Description
         uses: peter-evans/dockerhub-description@v4
@@ -83,3 +89,18 @@ jobs:
           repository: mtsrus/syncmaster-ui
           short-description: ${{ github.event.repository.description }}
           enable-url-completion: true
+
+      - name: Generate SBOM
+        run: |
+          yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --prod --output-reproducible --output-file sbom.cyclonedx.json
+
+      - name: Create Github release
+        id: create_release
+        uses: softprops/action-gh-release@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          draft: false
+          prerelease: false
+          name: ${{ env.NAME }}
+          files: |
+            sbom.cyclonedx.json