BC-8631 generate source sbom when tagging (#3596)

.github/workflows/tag.yml

@@ -57,22 +57,16 @@ jobs:
           labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
 
 
-  create-release:
-      needs:
-          - build_and_push
+  create_release:
       runs-on: ubuntu-latest
       permissions:
-          actions: read
           contents: write
       steps:
-          - name: create sbom
-            uses: aquasecurity/[email protected]
-            with:
-                scan-type: 'image'
-                format: 'cyclonedx'
-                image-ref: 'docker.io/schulcloud/schulcloud-client-default:${{ github.ref_name }}'
-                output: 'dependency-results.sbom.json'
+          - name: generate sbom via dependency-graph
+            run: gh api repos/${{ github.repository }}/dependency-graph/sbom > dependencies.sbom.json
+            env:
+                GH_TOKEN: ${{ github.token }}
           - name: create release
             uses: softprops/action-gh-release@v2
             with:
-                files: dependency-results.sbom.json
+                files: dependencies.sbom.json