diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8d9b107..83c772d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -92,11 +92,41 @@ jobs: } } + - name: Generate SBOM (CycloneDX) + if: steps.check-packages.outputs.has-packages == 'true' + shell: pwsh + run: | + dotnet tool install --global CycloneDX + + $sbomDir = Join-Path $PWD 'nuget-packages' + $srcProjects = Get-ChildItem -Path 'src' -Filter '*.csproj' -Recurse -ErrorAction SilentlyContinue + + if ($srcProjects.Count -eq 0) { + Write-Warning "No projects found in src/ - skipping SBOM generation" + return + } + + foreach ($proj in $srcProjects) { + $sbomName = "$($proj.BaseName).bom.json" + $sbomPath = Join-Path $sbomDir $sbomName + + Write-Host "📋 Generating SBOM for $($proj.Name)" -ForegroundColor Cyan + dotnet CycloneDX $proj.FullName --output $sbomDir --filename $sbomName --json + + if ($LASTEXITCODE -ne 0) { + Write-Warning "⚠️ SBOM generation failed for $($proj.Name) - continuing" + } else { + Write-Host "✅ SBOM generated: $sbomName" -ForegroundColor Green + } + } + + - name: Upload NuGet packages as artifacts uses: actions/upload-artifact@v4 with: name: nuget-packages path: ./nuget-packages/*.nupkg + ./nuget-packages/*.bom.json retention-days: 30 - name: Publish NuGet Package @@ -106,6 +136,7 @@ jobs: run: | $packagesPath = Join-Path $PWD 'nuget-packages' Get-ChildItem -Path $packagesPath -Filter '*.nupkg' | ForEach-Object { + ./nuget-packages/*.bom.json Write-Host "Publishing $($_.FullName)" dotnet nuget push $_.FullName --api-key $env:NUGET_API_KEY --source https://api.nuget.org/v3/index.json --skip-duplicate if ($LASTEXITCODE -ne 0) {