ci(release): attach CycloneDX SBOM to every GitHub release

Amends release-please.yml with conditional steps that run only when release-please cuts a release: - checkout + pnpm install to give @cyclonedx/cyclonedx-npm the full resolved workspace graph - pnpm dlx @cyclonedx/cyclonedx-npm generates a CycloneDX 1.6 JSON SBOM named sbom-<tag>.cdx.json; --ignore-npm-errors is required because npm ls exits non-zero for dev-deps-of-dev-deps pnpm correctly elides - softprops/action-gh-release@<SHA> (v3.0.0, Renovate-managed) attaches the file to the GitHub release as a downloadable asset Adds ADR-023 §9 amendment documenting the step shape, rationale for pnpm dlx (avoids lockfile per ADR-022), --ignore-npm-errors behaviour, SHA pinning per ADR-023 §1, and the extended failure-mode table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 11:31:08 +00:00
parent 224a5d78c8
commit 08bc19293a
2 changed files with 114 additions and 0 deletions
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -40,7 +40,44 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: googleapis/release-please-action@v4
+        id: release
        with:
          config-file: release-please-config.json
          manifest-file: .release-please-manifest.json
          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # The steps below run only when release-please actually cut a release.
+      # pnpm dlx avoids adding @cyclonedx/cyclonedx-npm to the lockfile (CI-only
+      # tool per ADR-022); SHA-pinned action follows ADR-023 §1 Renovate pattern.
+      - uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+
+      - uses: pnpm/action-setup@v4
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        with:
+          version: 9
+
+      - uses: actions/setup-node@v4
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        run: pnpm install --frozen-lockfile
+
+      - name: Generate CycloneDX SBOM
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        run: >
+          pnpm dlx @cyclonedx/cyclonedx-npm
+          --output-file sbom-${{ steps.release.outputs.tag_name }}.cdx.json
+          --output-format json
+          --ignore-npm-errors
+
+      - name: Attach SBOM to GitHub release
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        with:
+          tag_name: ${{ steps.release.outputs.tag_name }}
+          files: sbom-${{ steps.release.outputs.tag_name }}.cdx.json