APIM-6390-modified SBOM implementation

.github/workflows/sbom.yml

@@ -4,69 +4,79 @@ on:
   workflow_dispatch:
     inputs:
       environment:
-        description: "Run SBOM check"
+        description: "Apply SBOM check"
         required: true
         type: choice
         options:
-          - yes
-          - no
-
-env:
-  SYFT_VERSION: "1.27.1"
-  TF_VERSION: "1.12.2"
+          - apply
+          - skip
+        default: apply
 
 jobs:
-  deploy:
+  sbom-check:
+    if: ${{ github.event.inputs.environment == 'apply' }}
     name: Software Bill of Materials
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: write
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v5        
+      - name: Checkout repository
+        uses: actions/checkout@v5
 
-      - name: Setup Python 3.13
+      - name: Install Python 3.9
         uses: actions/setup-python@v5
         with:
-          python-version: "3.13"
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ env.TF_VERSION }}
+          python-version: 3.9
+
+      - name: Update apt repositories
+        run: sudo apt update
 
-      - uses: terraform-linters/setup-tflint@v5
-        name: Setup TFLint
-        with:
-          tflint_version: v0.58.0
+      - name: Install Java
+        run: sudo apt-get install --yes default-jre default-jdk
 
-      - name: Set architecture variable
-        id: os-arch
+      - name: Install node
         run: |
-          case "${{ runner.arch }}" in
-            X64) ARCH="amd64" ;;
-            ARM64) ARCH="arm64" ;;
-          esac
-          echo "arch=${ARCH}" >> $GITHUB_OUTPUT
+          wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
+          curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash -
+          sudo apt-get install -y nodejs
 
-      - name: Download and setup Syft
-        run: |
-          DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
-          echo "Downloading: ${DOWNLOAD_URL}"
+      - name: Upgrade python packaging tools
+        run: python -m pip install --upgrade pip setuptools wheel
 
-          curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
-          tar -xzf syft.tar.gz
-          chmod +x syft
+      - name: Install poetry
+        run: pip install "poetry<2.0.0"
 
-          # Add to PATH for subsequent steps
-          echo "$(pwd)" >> $GITHUB_PATH
+      - name: Cache poetry packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pypoetry
+          key: ${{ runner.os }}-build-cache-poetry-packages-${{ hashFiles('**/poetry.lock') }}
+
+      - name: Cache node modules
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-cache-npm-packages-${{ hashFiles('**/package-lock.json') }}
 
-      - name: Create SBOM
-        run: bash scripts/create-sbom.sh terraform python tflint
+      - name: Install repo
+        run: make install
 
-      - name: Upload SBOM as artifact
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: ./
+          format: cyclonedx-json
+          artifact-name: identity-repo-sbom.cdx.json
+
+      - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
         with:
-          name: sbom
-          path: sbom.json
+          name: sbom-action-${{ github.run_id }}
+          path: /tmp/sbom-action-*/identity-repo-sbom.cdx.json
+          if-no-files-found: warn
+
+      - name: Clean up SBOM file
+        run: rm /tmp/sbom-action-*/identity-repo-sbom.cdx.json || true
+