run compliance steps in the release process

Author: oarbusi

.github/workflows/release.yml

@@ -314,3 +314,46 @@ jobs:
           labels: failed-release
           title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Releases failed
           body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+      - name: Generate SBOM
+        run: |
+          ./scripts/compliance/gen-purls.sh
+          ./scripts/compliance/gen-sbom.sh
+      - name: Upload SBOM to Kondukto
+        run: ./scripts/compliance/upload-sbom.sh
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: terraform-provider-mongodbatlas-checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          repository: mongodb/terraform-provider-mongodbatlas
+          ref: master
+      - name: Generate SSDLC report
+        uses: mongodb/terraform-provider-mongodbatlas/.github/templates/run-script-and-commit@master
+        with:
+          script_call: |
+            AUTHOR="${{ github.actor }}"
+            export AUTHOR
+            export VERSION=${{ steps.extract-version.outputs.VERSION }}
+            ./scripts/compliance/gen-ssdlc-report.sh
+          apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
+          remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
+          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
+          file_to_commit: 'cfn-resources/${{ github.event.inputs.resourceName }}/compliance/v*/*'
+          commit_message:
+            "chore: Update SSDLC report for ${{ needs.publish.outputs.published_version }}"
+          repo-path: "cfn-resources/"
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: Upload SBOM as release artifact
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
+        with:
+          files: compliance/sbom.json
+          tag_name: ${{ steps.extract-version.outputs.VERSION }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

scripts/compliance/gen-ssdlc-report.sh

@@ -10,7 +10,7 @@ if [ -z "${AUTHOR:-}" ]; then
 fi
 
 if [ -z "${VERSION:-}" ]; then
-  VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+  VERSION=$(git tag --list 'v*' --sort=-v:refname | head -1 | cut -d 'v' -f 2)
 fi
 
 if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then