Testing sbom pipeline

Author: j28smith

.github/workflows/sbom.yaml

@@ -0,0 +1,45 @@
+name: Generate and Sign SBOM
+
+on:
+  push:
+    branches: [main, add-sbom-workflow]
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  COMPONENT_VERSION: ${{ github.sha }}
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Syft
+        uses: anchore/sbom-action@v0.20.6
+
+      - name: Generate SBOM with Syft
+        run: syft . -o cyclonedx-json=sbom.${{ env.COMPONENT_VERSION }}.cdx.json
+
+
+      - name: Sign SBOM
+        uses: shiftleftcyber/secure-sbom-action@v1.2.0
+        with:
+          sbom_file: sbom.${{ env.COMPONENT_VERSION }}.cdx.json
+          secure_sbom_action: sign
+          api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
+          key_id: ${{ secrets.SECURE_SBOM_KEY_ID }}
+
+      - name: Archive Signed SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: secure-sbom-api-signed-sbom
+          path: sbom.${{ env.COMPONENT_VERSION }}.cdx.signed.json
+          retention-days: 30
+
+      - name: Clean up
+        run: rm -f sbom.${{ env.COMPONENT_VERSION }}.cdx.json sbom.${{ env.COMPONENT_VERSION }}.cdx.signed.json