From c45021d440cfc5870d36950819a474251ee5f1de Mon Sep 17 00:00:00 2001
From: Thanh Nguyen <thanh.nguyen@mongodb.com>
Date: Fri, 21 Nov 2025 19:20:58 +0000
Subject: [PATCH 1/3] Add Rust SBOM generation workflow using cargo-cyclonedx

---
 .github/workflows/sbom.yml | 85 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 .github/workflows/sbom.yml

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 000000000..08ba88024
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,85 @@
+name: Generate SBOM
+
+# This workflow uses cargo-cyclonedx and publishes an sbom.json artifact.
+# It runs on manual trigger or when Cargo files change on main branch,
+# and creates a PR with the updated SBOM.
+# Internal documentation: go/sbom-scope
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches: ['main']
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - 'driver/Cargo.toml'
+      - 'macros/Cargo.toml'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sbom:
+    name: Generate SBOM and Create PR
+    runs-on: ubuntu-latest
+    concurrency:
+      group: sbom-${{ github.ref }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Install cargo-cyclonedx
+        run: cargo install cargo-cyclonedx
+
+      - name: Generate SBOM
+        run: |
+          cargo cyclonedx --manifest-path driver/Cargo.toml -vv --format json --override-filename sbom
+          cp driver/sbom.json sbom.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
+          if-no-files-found: error
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: Update SBOM after dependency changes'
+          branch: auto-update-sbom-${{ github.run_id }}
+          delete-branch: true
+          title: 'chore: Update SBOM'
+          body: |
+            ## Automated SBOM Update
+
+            This PR was automatically generated because dependency manifest files changed.
+
+            ### Changes
+            - Updated `sbom.json` to reflect current dependencies
+
+            ### Verification
+            The SBOM was generated using cargo-cyclonedx with the current Rust workspace.
+
+            ### Triggered by
+            - Commit: ${{ github.sha }}
+            - Workflow run: ${{ github.run_id }}
+
+            ---
+            _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_
+          labels: |
+            sbom
+            automated
+            dependencies
+

From 139f83d98d37c681eee5ee51fb5f0d6721e9e719 Mon Sep 17 00:00:00 2001
From: Thanh Nguyen <thanh.nguyen@mongodb.com>
Date: Fri, 21 Nov 2025 19:28:42 +0000
Subject: [PATCH 2/3] added in spec 1.5 and sbom validation

---
 .github/workflows/sbom.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 08ba88024..49f0a9df6 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -43,9 +43,17 @@ jobs:
 
       - name: Generate SBOM
         run: |
-          cargo cyclonedx --manifest-path driver/Cargo.toml -vv --format json --override-filename sbom
+          cargo cyclonedx --manifest-path driver/Cargo.toml --spec-version 1.5 -vv --format json --override-filename sbom
           cp driver/sbom.json sbom.json
 
+      - name: Download CycloneDX CLI
+        run: |
+          curl -L -s -o /tmp/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
+          chmod +x /tmp/cyclonedx
+
+      - name: Validate SBOM
+        run: /tmp/cyclonedx validate --input-file sbom.json --fail-on-errors
+
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
         with:

From 26dbb53725da00fc5fff0f474211aee9a65ed553 Mon Sep 17 00:00:00 2001
From: Thanh Nguyen <thanh.nguyen@mongodb.com>
Date: Fri, 21 Nov 2025 22:18:54 +0000
Subject: [PATCH 3/3] Additional cleanup

---
 .github/workflows/sbom.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 49f0a9df6..4a0b426b3 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -45,6 +45,8 @@ jobs:
         run: |
           cargo cyclonedx --manifest-path driver/Cargo.toml --spec-version 1.5 -vv --format json --override-filename sbom
           cp driver/sbom.json sbom.json
+          # Clean up workspace member SBOMs - we only want the driver SBOM
+          rm -f driver/sbom.json macros/sbom.json benchmarks/sbom.json etc/update_version/sbom.json
 
       - name: Download CycloneDX CLI
         run: |