From 3e490b766c2ff641121e5538b760bd07207e0ac1 Mon Sep 17 00:00:00 2001
From: "Valentin D. Pinkman" <valentin.dealmeida@ledger.fr>
Date: Thu, 3 Oct 2024 11:14:49 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=92=9A=20(repo):=20Generate=20SBOM=20when?=
 =?UTF-8?q?=20lockfile=20changes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../generate-sbom-composite/action.yml        | 34 +++++++++++++++++++
 .github/workflows/generate_sbom.yml           | 21 ++++++++++++
 .github/workflows/release.yml                 |  5 +--
 .gitignore                                    |  5 ++-
 4 files changed, 60 insertions(+), 5 deletions(-)
 create mode 100644 .github/actions/generate-sbom-composite/action.yml
 create mode 100644 .github/workflows/generate_sbom.yml

diff --git a/.github/actions/generate-sbom-composite/action.yml b/.github/actions/generate-sbom-composite/action.yml
new file mode 100644
index 000000000..d23670c23
--- /dev/null
+++ b/.github/actions/generate-sbom-composite/action.yml
@@ -0,0 +1,34 @@
+name: "Download SBOM from Github"
+description: "Download the SBOM from Github API"
+author: "valpinkman"
+inputs:
+  owner:
+    description: "The owner of the repository"
+    required: true
+  repo:
+    description: "The repository name"
+    required: true
+  token:
+    default: ${{ github.token }}
+    description: "The Github token to use to download the SBOM"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Download SBOM
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        gh api \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          /repos/${{ inputs.owner }}/${{ inputs.repo }}/dependency-graph/sbom > sbom.json
+
+    - name: Upload SBOM
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom
+        path: sbom.json
diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
new file mode 100644
index 000000000..0f3a0667d
--- /dev/null
+++ b/.github/workflows/generate_sbom.yml
@@ -0,0 +1,21 @@
+name: Generate SBOM
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - "pnpm-lock.yaml"
+
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
+
+      - uses: ./.github/actions/generate-sbom-composite
+        with:
+          owner: "LedgerHQ"
+          repo: "device-sdk-ts"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0f4ab6375..86f6a9bb3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,11 +24,8 @@ jobs:
 
       - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
 
-      - name: install dependencies
-        run: pnpm install
-
       - name: build libraries
-        run: pnpm build
+        run: pnpm build:libs
 
       - name: Login to internal JFrog registry
         id: jfrog-login
diff --git a/.gitignore b/.gitignore
index 0442bd473..82a65631a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -37,4 +37,7 @@ lib
 .eslintcache
 
 # npm config
-.npmrc
\ No newline at end of file
+.npmrc
+
+# sbom
+sbom.json
\ No newline at end of file