From ab7dca130f29f53457dfa8a251e175040fdb45a3 Mon Sep 17 00:00:00 2001
From: Ioana Iliescu <ioana.iliescu@eclipse-foundation.org>
Date: Wed, 21 May 2025 16:17:00 +0300
Subject: [PATCH] Github Actions Workflow to generate SBOMs for new releases
 and upload to DependencyTrack

Signed-off-by: Ioana Iliescu <ioana.iliescu@eclipse-foundation.org>
---
 .github/workflows/generate-maven-sbom.yml | 67 +++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/generate-maven-sbom.yml

diff --git a/.github/workflows/generate-maven-sbom.yml b/.github/workflows/generate-maven-sbom.yml
new file mode 100644
index 00000000..4c83e2f0
--- /dev/null
+++ b/.github/workflows/generate-maven-sbom.yml
@@ -0,0 +1,67 @@
+name: Generate Maven SBOM
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version'
+        default: 'master'
+        required: true
+
+env:
+  JAVA_VERSION: '8'
+  JAVA_DISTRO: 'temurin'
+  PRODUCT_PATH: './'
+  PLUGIN_VERSION: '2.7.8'
+  SBOM_TYPE: 'makeAggregateBom'
+
+permissions:
+  contents: read
+
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-latest
+    outputs:
+      project-version: ${{ steps.version.outputs.PROJECT_VERSION }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.version }}
+
+      - name: Setup Java SDK
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: ${{ env.JAVA_DISTRO }}
+
+      - name: Generate sbom
+        run: |
+          mvn org.cyclonedx:cyclonedx-maven-plugin:$PLUGIN_VERSION:$SBOM_TYPE -f "$PRODUCT_PATH/pom.xml"
+
+      - name: Extract product version
+        id: version
+        shell: bash
+        run: |
+          VERSION="$(jq -r '.metadata.component.version' < ./${{ env.PRODUCT_PATH }}/target/bom.json)"
+          echo "PROJECT_VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "Product version: $VERSION"
+
+      - name: Upload sbom
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: sbom
+          path: ${{ env.PRODUCT_PATH }}/target/bom.json
+
+  store-sbom-data: # stores sbom and metadata in a predefined format for otterdog to pick up
+    needs: ['generate-sbom']
+    uses: eclipse-csi/workflows/.github/workflows/store-sbom-data.yml@main
+    with:
+      projectName: 'paho.mqtt.java'
+      projectVersion: ${{ needs.generate-sbom.outputs.project-version }}
+      bomArtifact: 'sbom'
+      bomFilename: 'bom.json'
+      parentProject: '27463a59-b016-4fa1-8741-7cf4fc61c760'