From dbd8913cc8fa38ae0d536ca55a386b6fa4d6487c Mon Sep 17 00:00:00 2001
From: andip1403 <123165724+andip1403@users.noreply.github.com>
Date: Wed, 30 Oct 2024 18:22:47 +0100
Subject: [PATCH] Playing around with SBOM generation

---
 .github/workflows/createSBOM.yml | 15 +++++++++++++++
 .syft/config.yaml                | 12 ++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 .syft/config.yaml

diff --git a/.github/workflows/createSBOM.yml b/.github/workflows/createSBOM.yml
index e169fd9..8f27893 100644
--- a/.github/workflows/createSBOM.yml
+++ b/.github/workflows/createSBOM.yml
@@ -1,4 +1,19 @@
 name: createSBOM.yml
+
 on:
+  release:
+    types: [created]
 
 jobs:
+  create-sbom:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Generate SBOM with Syft
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          config: ".syft/config.yml"
diff --git a/.syft/config.yaml b/.syft/config.yaml
new file mode 100644
index 0000000..20403c2
--- /dev/null
+++ b/.syft/config.yaml
@@ -0,0 +1,12 @@
+# a list of globs to exclude from scanning, for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+# SYFT_EXCLUDE env var / --exclude flag
+#
+# For studio-client plugins you can skip the scanning process
+# because they are not supposed to introduce new dependencies.
+# The dependencies in the lockfile are considered runtime dependencies.
+# The actual version is determined by the studio-client application.
+exclude:
+  - "/studio-client/**"