name: 'Release: Attach SBOM'

on:
  workflow_call:
    inputs:
      n8n_version:
        description: 'N8N version to generate SBOM for'
        required: true
        type: string
      release_tag_ref:
        description: 'Git reference to checkout (e.g. n8n@1.2.3)'
        required: true
        type: string
    secrets:
      SLACK_WEBHOOK_URL:
        required: true

  workflow_dispatch:
    inputs:
      n8n_version:
        description: 'N8N version to generate SBOM for'
        required: true
        type: string
      release_tag_ref:
        description: 'Git reference to checkout (e.g. n8n@1.2.3)'
        required: true
        type: string

permissions:
  contents: write
  id-token: write
  attestations: write

jobs:
  generate-sbom:
    name: Generate and Attach SBOM to Release
    runs-on: ubuntu-latest
    timeout-minutes: 15
    continue-on-error: true
    steps:
      - name: Checkout release tag
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ inputs.release_tag_ref }}

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 22.x

      - name: Setup corepack and pnpm
        run: |
          npm i -g corepack@0.33
          corepack enable

      - name: Install dependencies for SBOM generation
        run: pnpm install --frozen-lockfile

      - name: Generate CycloneDX SBOM for source code
        uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
        with:
          path: ./
          format: cyclonedx-json
          output-file: sbom-source.cdx.json

      - name: Attest build provenance for source release
        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a0 # v3.0.0
        with:
          subject-path: './package.json'

      - name: Attest SBOM for source release
        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
        with:
          subject-path: './package.json'
          sbom-path: 'sbom-source.cdx.json'

      - name: Install Cosign
        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0

      - name: Sign SBOM (keyless)
        run: |
          # Sign SBOM using Cosign keyless signing with GitHub OIDC
          # This provides cryptographic proof of authenticity and integrity
          cosign sign-blob --yes --output-signature sbom-source.cdx.sig --output-certificate sbom-source.cdx.pem sbom-source.cdx.json

      - name: Attach SBOM files to release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Upload SBOM files to the existing release
          gh release upload "${{ inputs.release_tag_ref }}" \
            sbom-source.cdx.json \
            sbom-source.cdx.sig \
            sbom-source.cdx.pem \
            --clobber

          COMPONENT_COUNT=$(jq '.components | length' sbom-source.cdx.json 2>/dev/null || echo "unknown")
          echo "✅ SBOM workflow completed"
          echo "📊 SBOM contains $COMPONENT_COUNT components"
          echo "🛡️ GitHub attestations created for source release"

      - name: Notify Slack on failure
        if: failure()
        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
        with:
          status: ${{ job.status }}
          channel: '#alerts-build'
          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
          message: |
            <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}| SBOM generation and attachment failed for release ${{ inputs.release_tag_ref }} >