From c25325ea7fe050ed2a31cb5f41ba0e6ff115c467 Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Mon, 24 Feb 2025 13:22:35 -0500
Subject: [PATCH] add sbom to release artifacts

---
 .github/workflows/release.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 410baee5..5a2dac4a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -275,6 +275,15 @@ jobs:
           curl -sSLf -o ./automated-release-build/source-${{ github.ref_name }}.tar.gz \
             https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }}
 
+      - name: Build SBOM from Dependency Graph as SPDX JSON
+        shell: bash
+        run: |
+          gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/dependency-graph/sbom \
+            | tee ./automated-release-build/sbom-${{ github.ref_name }}.spdx.json
+
       - uses: actions/download-artifact@v4
         with:
           path: ./automated-release-build