From f3de404d0ca9b2ab6012408cab1c66374f240aee Mon Sep 17 00:00:00 2001
From: Phillip Wirth <phillip.wirth@dataport.de>
Date: Mon, 17 Feb 2025 16:42:39 +0100
Subject: [PATCH] BC-8631 generate source sbom when tagging

---
 .github/workflows/tag.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 2c7601b..ed7bf95 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -67,3 +67,18 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}
           DIGEST: ${{ steps.build_and_push.outputs.digest }}
+
+
+  create_release:
+      runs-on: ubuntu-latest
+      permissions:
+          contents: write
+      steps:
+          - name: generate sbom via dependency-graph
+            run: gh api repos/${{ github.repository }}/dependency-graph/sbom > dependencies.sbom.json
+            env:
+                GH_TOKEN: ${{ github.token }}
+          - name: create release
+            uses: softprops/action-gh-release@v2
+            with:
+                files: dependencies.sbom.json
\ No newline at end of file