From faafd0b122203efd405b6fdf615e9790b0f0c682 Mon Sep 17 00:00:00 2001
From: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
Date: Mon, 9 Jan 2023 13:57:28 +0100
Subject: [PATCH 1/3] try out sbom action

Signed-off-by: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
---
 .github/workflows/CI.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
index 281afb19e2..50efff290c 100644
--- a/.github/workflows/CI.yaml
+++ b/.github/workflows/CI.yaml
@@ -160,6 +160,11 @@ jobs:
           name: ${{ matrix.config.name }}-manifest-test
           path: ${{ matrix.config.folder }}/config/rendered/release.yaml
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          output-file: ./sbom-${{ matrix.config.name }}.spdx.json
+
   component_tests:
     name: Component Tests
     needs: prepare_ci_run

From 3e5a82ff79a16f90bd07ad5cbcdb29b755f90db5 Mon Sep 17 00:00:00 2001
From: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
Date: Mon, 9 Jan 2023 14:18:11 +0100
Subject: [PATCH 2/3] add sbom generation to release pipeline

Signed-off-by: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
---
 .github/workflows/CI.yaml     |  5 -----
 .github/workflows/release.yml | 13 +++++++++++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
index 50efff290c..281afb19e2 100644
--- a/.github/workflows/CI.yaml
+++ b/.github/workflows/CI.yaml
@@ -160,11 +160,6 @@ jobs:
           name: ${{ matrix.config.name }}-manifest-test
           path: ${{ matrix.config.folder }}/config/rendered/release.yaml
 
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        with:
-          output-file: ./sbom-${{ matrix.config.name }}.spdx.json
-
   component_tests:
     name: Component Tests
     needs: prepare_ci_run
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b1dec6b674..1cedbc3a0a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -100,6 +100,19 @@ jobs:
           COSIGN_EXPERIMENTAL: 1
         run: cosign sign ${{ env.IMAGE_TAG }}
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0.13.1
+        with:
+          image: ${{ env.IMAGE_TAG }}
+          artifact-name: sbom-${{ matrix.config.name }}
+          output-file: ./sbom-${{ matrix.config.name }}.spdx.json
+
+      - name: Attach SBOM to release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ needs.release-please.outputs.tag_name }}
+          files: ./sbom-${{ matrix.config.name }}.spdx.json
+
   release-manifests:
     if: needs.release-please.outputs.releases_created == 'true'
     needs:

From 5489e86318d0196f8d4230591cb7dc921c62a4a2 Mon Sep 17 00:00:00 2001
From: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
Date: Mon, 9 Jan 2023 14:20:18 +0100
Subject: [PATCH 3/3] Trigger Build

Signed-off-by: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>