kuzzleio · rolljee · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/.github/actions/install-packages/action.yml b/.github/actions/install-packages/action.yml
@@ -0,0 +1,8 @@
+name: Install Packages
+description: Install necessary packages inside the CI
+
+runs:
+  using: "composite"
+  steps:
+    - run: sudo apt update && sudo apt install libunwind-dev libunwind8 -y
+      shell: bash
diff --git a/.github/workflows/dtrack-sbom.workflow.yaml b/.github/workflows/dtrack-sbom.workflow.yaml
@@ -0,0 +1,45 @@
+name: Dtrack SBOM publish
+
+env:
+  NODE_VERSION: "24"
+
+on:
+  release:
+    types:
+      - released
+      - prereleased
+
+jobs:
+  publish-sbom-to-dtrack:
+    name: Publish SBOM to Dependency-Track
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v6
+
+      - name: Install additional libraries
+        uses: ./.github/actions/install-packages
+
+      - name: Node version ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - run: npm install
+      - name: Create SBOM with CycloneDX
+        run: npx @cyclonedx/cyclonedx-npm -o bom.xml --of=XML
+
+      - name: Get the current project version from package.json
+        id: get-version
+        run: |
+          echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT
+
+      - name: Publish SBOM to Dependency-Track
+        uses: DependencyTrack/gh-upload-sbom@v3
+        with:
+          serverhostname: ${{ secrets.DEPENDENCYTRACK_HOSTNAME }}
+          apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
+          projectname: 'Kuzzle SDK JavaScript'
+          projectversion: '${{ steps.get-version.outputs.version }}'
+          bomfilename: "./bom.xml"
+          autocreate: true