💚 (repo): Generate SBOM when lockfile changes

.github/actions/generate-sbom-composite/action.yml

@@ -0,0 +1,28 @@
+name: "Download SBOM from Github"
+description: "Download the SBOM from Github API"
+author: "valpinkman"
+inputs:
+  owner:
+    description: "The owner of the repository"
+    required: true
+  repo:
+    description: "The repository name"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Download SBOM
+      shell: bash
+      run: |
+        gh api \
+          -H "Accept: application/vnd.github+json" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          /repos/${{ inputs.owner }}/${{ inputs.repo }}/dependency-graph/sbom > sbom.json
+
+    - name: Upload SBOM
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom
+        path: sbom.json

.github/workflows/generate_sbom.yml

@@ -0,0 +1,17 @@
+name: Generate SBOM
+
+on:
+  pull_request:
+
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
+
+      - uses: ./.github/actions/generate-sbom-composite
+        with:
+          owner: "LedgerHQ"
+          repo: "device-sdk-ts"

.github/workflows/release.yml

@@ -24,11 +24,8 @@ jobs:
 
       - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
 
-      - name: install dependencies
-        run: pnpm install
-
       - name: build libraries
-        run: pnpm build
+        run: pnpm build:libs
 
       - name: Login to internal JFrog registry
         id: jfrog-login

.gitignore

@@ -37,4 +37,7 @@ lib
 .eslintcache
 
 # npm config
-.npmrc
+.npmrc
+
+# sbom
+sbom.json