From 9a9ef5cd61b1f2660dc5e5b922d65c3961beabbc Mon Sep 17 00:00:00 2001
From: Artem Sorokin <38620398+seemewalkin@users.noreply.github.com>
Date: Fri, 5 Sep 2025 13:21:01 +0200
Subject: [PATCH] ci: Include SBOM with release (#19134)

---
 .github/workflows/release-attach-sbom.yml | 85 +++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 .github/workflows/release-attach-sbom.yml

diff --git a/.github/workflows/release-attach-sbom.yml b/.github/workflows/release-attach-sbom.yml
new file mode 100644
index 0000000000..dba2b2369c
--- /dev/null
+++ b/.github/workflows/release-attach-sbom.yml
@@ -0,0 +1,85 @@
+name: 'Release: Attach SBOM'
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  generate-and-attach-sbom:
+    name: Generate and Attach SBOM to Release
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout release tag
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 22.x
+
+      - name: Setup corepack and pnpm
+        run: |
+          npm i -g corepack@0.33
+          corepack enable
+
+      - name: Install dependencies for SBOM generation
+        run: pnpm install --frozen-lockfile
+
+      - name: Generate CycloneDX SBOM for source code
+        uses: anchore/sbom-action@b9a8bc8d2c19e9396f663e53c7b55848e98cf17c # v0.17.6
+        with:
+          path: ./
+          format: cyclonedx-json
+          output-file: sbom-source.cdx.json
+
+      - name: Attest build provenance for source release
+        uses: actions/attest-build-provenance@977bb37082e0bfde04bb18e63b0632b7b5a1c4a3 # v3.0.0
+        with:
+          subject-path: './package.json'
+
+      - name: Attest SBOM for source release
+        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
+        with:
+          subject-path: './package.json'
+          sbom-path: 'sbom-source.cdx.json'
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@9e9de2292db7abb3f51b7f4808d98f0d347a8919 # v3.7.0
+
+      - name: Sign SBOM (keyless)
+        run: |
+          # Sign SBOM using Cosign keyless signing with GitHub OIDC
+          # This provides cryptographic proof of authenticity and integrity
+          cosign sign-blob --yes --output-signature sbom-source.cdx.sig --output-certificate sbom-source.cdx.pem sbom-source.cdx.json
+
+      - name: Attach SBOM files to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Upload SBOM files to the existing release
+          gh release upload "${{ github.event.release.tag_name }}" \
+            sbom-source.cdx.json \
+            sbom-source.cdx.sig \
+            sbom-source.cdx.pem \
+            --clobber
+
+          COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
+          echo "✅ SBOM workflow completed"
+          echo "📊 SBOM contains $COMPONENT_COUNT components"
+          echo "🛡️ GitHub attestations created for source release"
+
+      - name: Notify Slack on failure
+        if: failure()
+        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
+        with:
+          status: ${{ job.status }}
+          channel: '#alerts-build'
+          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+          message: |
+            <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}| SBOM generation and attachment failed for release ${{ github.event.release.tag_name }} >