From a0b0d3e749d275c04729922b0b1619c83a1c6e6a Mon Sep 17 00:00:00 2001
From: "Jose R. Gonzalez" <komish@flutes.dev>
Date: Wed, 10 Jul 2024 14:18:31 -0500
Subject: [PATCH] Inline the workflow that generate sbom into the general
 release tasks (#455)

Signed-off-by: Jose R. Gonzalez <komish@flutes.dev>
---
 .github/workflows/release.yaml         | 22 ++++++++++++++++++++-
 .github/workflows/sbom-on-release.yaml | 27 --------------------------
 2 files changed, 21 insertions(+), 28 deletions(-)
 delete mode 100644 .github/workflows/sbom-on-release.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7e43b9db..0e529811 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -63,6 +63,24 @@ jobs:
             echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1
           fi
 
+      - name: Generate SBOM filename
+        id: generate_sbom_filename
+        run: echo sbom_filename="${{ github.event.repository.name }}-${{ steps.get_tag.outputs.release_version }}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
+
+      - name: Generate SBOM
+        continue-on-error: true
+        id: generate_sbom
+        uses: anchore/sbom-action@v0
+        with:
+          # Setting path to null works around this bug:
+          # https://github.com/anchore/sbom-action/issues/389
+          path: null
+          file: go.mod
+          format: spdx-json
+          output-file: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
+          artifact-name: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
+          upload-release-assets: false
+
       - name: Set up Python 3.x
         uses: ./.github/actions/setup-python
 
@@ -83,7 +101,9 @@ jobs:
         with:
           tag_name: ${{ steps.get_tag.outputs.release_version }}
           body: ${{ steps.release_body.outputs.release_body }}
-          files: ${{ steps.build_bin.outputs.tarball_path }}
+          files: |
+            ${{ steps.build_bin.outputs.tarball_path }}
+            ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/sbom-on-release.yaml b/.github/workflows/sbom-on-release.yaml
deleted file mode 100644
index 80627f5c..00000000
--- a/.github/workflows/sbom-on-release.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: Generate and Publish SBOM on release
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  generate-src-sbom:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Parse release tag
-        run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) | tee -a $GITHUB_ENV
-      - name: Set output filename
-        run: echo SBOM_OUTPUT_FILE="${{ github.event.repository.name }}-${{ env.RELEASE_TAG }}-sbom.spdx.json" | tee -a $GITHUB_ENV
-      - name: Generate SBOM and Attach to Release
-        # Attaching SBOM to release is inherent behavior of this action.
-        uses: anchore/sbom-action@v0
-        with:
-          # Setting path to null works around this bug:
-          # https://github.com/anchore/sbom-action/issues/389
-          path: null
-          file: go.mod
-          format: spdx-json
-          output-file: ${{ env.SBOM_OUTPUT_FILE }}
-          artifact-name: ${{ env.SBOM_OUTPUT_FILE }}