feat: generate SBOM and attach to release artifacts (#672)

Signed-off-by: Lukas Reining <[email protected]>

Author: lukas-reining

.github/workflows/release-please.yml

@@ -18,6 +18,35 @@ jobs:
           signoff: "OpenFeature Bot <[email protected]>"
     outputs:
       release_created: ${{ steps.release.outputs.releases_created }}
+      all: ${{ toJSON(steps.release.outputs) }}
+      paths_released: ${{ steps.release.outputs.paths_released }}
+
+  sbom:
+    needs: release-please
+    runs-on: ubuntu-latest
+    if: ${{ fromJSON(needs.release-please.outputs.paths_released)[0] != null }}
+    # Continues with the release process even if SBOM generation fails.
+    continue-on-error: true
+    strategy:
+      matrix:
+        release: ${{ fromJSON(needs.release-please.outputs.paths_released) }}
+    env:
+      TAG: ${{ fromJSON(needs.release-please.outputs.all)[format('{0}--tag_name', matrix.release)] }}
+    steps:
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+      - name: Generate SBOM
+        run:
+          npm install -g npm@^10.2.0
+          npm ci --omit dev --workspace=${{matrix.release}}
+          npm sbom --sbom-format=cyclonedx --omit=dev --omit=peer --workspace=${{matrix.release}} > bom.json
+      - name: Attach SBOM to artifact
+        env:
+          GITHUB_TOKEN: ${{secrets.RELEASE_PLEASE_ACTION_TOKEN}}
+        run:
+          gh release upload $TAG bom.json
 
   npm-release:
     needs: release-please