From aabd1a9b001ae9c8190bf2ddc1f3c8fe3a94a74d Mon Sep 17 00:00:00 2001
From: Martin Kuba <martin@martinkuba.com>
Date: Wed, 20 Mar 2024 07:46:52 -0700
Subject: [PATCH] SBOM workflow using "npm sbom" (#4521)

* add sbom workflow

* generate sbom for each package

* generate sbom API

* add prefix to all files

* conditionally add artifacts to releases

---------

Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>
---
 .github/workflows/sbom.yml | 79 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 .github/workflows/sbom.yml

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 00000000000..a99ad66a139
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,79 @@
+name: SBOM
+on:
+  release:
+    types: [published]
+          
+permissions: read-all
+
+jobs:
+  generate-sboms:
+    runs-on: ubuntu-latest
+    env:
+      NPM_CONFIG_UNSAFE_PERM: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - run: npm install -g npm@latest
+
+      - name: Bootstrap
+        run: npm ci
+
+      - name: Generate SBOM for core packages
+        if: ${{ ! startsWith(github.ref, 'refs/tags/experimental') && ! startsWith(github.ref, 'refs/tags/api') }}
+        run: |
+          for dir in $(find packages -mindepth 1 -maxdepth 1 -type d)
+          do
+            dir_name=$(basename "$dir")
+            echo "Generating SBOM for $dir_name"
+            npm sbom --sbom-format=spdx --legacy-peer-deps --workspace ${dir} > "opentelemetry-js_${dir_name}.spdx.json"
+          done
+        
+      - name: Generate SBOM for the API package
+        if: startsWith(github.ref, 'refs/tags/api/')
+        run: |
+          npm sbom --sbom-format=spdx --legacy-peer-deps --workspace api > opentelemetry-js_api.spdx.json
+
+      - name: Generate SBOMs for experimental packages 
+        if: startsWith(github.ref, 'refs/tags/experimental/')
+        run: |
+          for dir in $(find experimental/packages -mindepth 1 -maxdepth 1 -type d)
+          do
+            dir_name=$(basename "$dir")
+            echo "Generating SBOM for $dir_name"
+            npm sbom --sbom-format=spdx --legacy-peer-deps --workspace ${dir} > "opentelemetry-js_${dir_name}.spdx.json"
+          done
+
+      - name: Zip all SBOM files
+        run: |
+          zip sbom.zip *.spdx.json
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: SBOM.zip
+          path: ./sbom.zip
+
+  add-release-artifact:
+    needs: generate-sboms
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Download artifact from generate-sboms
+        uses: actions/download-artifact@v4
+        with:
+          name: SBOM.zip
+      - name: Upload release asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./sbom.zip
+          asset_name: SBOM.zip
+          asset_content_type: application/zip