From f6d165b9da9fb9eded8b78fdf8457cc7162363f6 Mon Sep 17 00:00:00 2001
From: Martin Kuba <martin@martinkuba.com>
Date: Sat, 2 Mar 2024 09:41:49 -0800
Subject: [PATCH] add sbom workflow

---
 .github/workflows/sbom.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/sbom.yml

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 00000000000..5c627d2a725
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,34 @@
+name: SBOM
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+          
+permissions: read-all
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    env:
+      NPM_CONFIG_UNSAFE_PERM: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+
+      - run: npm install -g npm@latest
+
+      - name: Bootstrap
+        run: npm ci
+
+      - name: Generate SBOM
+        run: |
+          npm sbom --sbom-format=spdx --workspaces --sbom-type=library > sbom.spdx
+
+      - uses: actions/upload-artifact@v3.1.0
+        with: 
+          path: ./sbom.spdx
+          name: "SBOM"