From ff1962f8e0323f6069a78a2b637751ae5266b244 Mon Sep 17 00:00:00 2001
From: Mathis Hofer <hofer@puzzle.ch>
Date: Mon, 23 Oct 2023 15:56:44 +0200
Subject: [PATCH] Add workflow to generate SBOM (software bill of materials)
 #561

---
 .github/workflows/bom.yml | 43 +++++++++++++++++++++++++++++++++++++++
 README.md                 |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 .github/workflows/bom.yml

diff --git a/.github/workflows/bom.yml b/.github/workflows/bom.yml
new file mode 100644
index 000000000..c8a26dcfe
--- /dev/null
+++ b/.github/workflows/bom.yml
@@ -0,0 +1,43 @@
+name: SBOM
+
+on:
+  push:
+    branches: [main]
+
+  workflow_dispatch:
+
+jobs:
+  bom:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [18]
+
+    steps:
+      - name: Checkout 🛎️
+        uses: actions/checkout@v3
+
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.version }}
+          cache: "npm"
+
+      - name: Install @cyclonedx/cyclonedx-npm
+        run: npm install @cyclonedx/cyclonedx-npm --no-save
+
+      - name: Generate BOM
+        run: npm exec -- cyclonedx-npm --output-format XML --output-file bom.xml
+
+      - name: Push BOM to Dependency Track
+        env:
+          PROJECT_NAME: bkd-webapp-schulverwaltung
+        run: |
+          curl --verbose -s --location --request POST ${{vars.DEPENDENCY_TRACK_URL}}/api/v1/bom \
+               --header "X-Api-Key: ${{secrets.DEPENDENCY_TRACK_API_KEY}}" \
+               --header "Content-Type: multipart/form-data" \
+               --form "autoCreate=true" \
+               --form "projectName=$PROJECT_NAME" \
+               --form "projectVersion=latest" \
+               --form "bom=@bom.xml"
diff --git a/README.md b/README.md
index 2090d724e..1df47a89d 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,7 @@
 
 [![lint test ✨](https://github.com/bkd-mba-fbi/webapp-schulverwaltung/actions/workflows/lintAndTest.yml/badge.svg?branch=main)](https://github.com/bkd-mba-fbi/webapp-schulverwaltung/actions/workflows/lintAndTest.yml)
 [![build 🏭 deploy 🚀](https://github.com/bkd-mba-fbi/webapp-schulverwaltung/actions/workflows/buildDeploy.yml/badge.svg)](https://github.com/bkd-mba-fbi/webapp-schulverwaltung/actions/workflows/buildDeploy.yml)
+[![SBOM](https://github.com/bkd-mba-fbi/webapp-schulverwaltung/actions/workflows/bom.yml/badge.svg?branch=main)](https://github.com/bkd-mba-fbi/webapp-schulverwaltung/actions/workflows/bom.yml)
 
 JavaScript web module to implement processes for school administration using the SLH.Evento backend (REST API).