upload-sbom.yaml

# based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

name: Upload SBOM to EdgeBit

on:
  workflow_run:
    workflows: ["Generate an SBOM from source code"]
    types:
      - completed

jobs:
  upload:
    runs-on: ubuntu-latest
    if: github.event.workflow_run.conclusion == 'success'

    steps:
      - name: Download metadata
        id: metadata
        uses: dawidd6/action-download-artifact@v2.28.0
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: metadata.json

      - name: Download SBOM
        id: sbom
        uses: dawidd6/action-download-artifact@v2.28.0
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: sbom.spdx.json

      - name: Upload SBOM to EdgeBit
        uses: edgebitio/edgebit-build@v1
        with:
          edgebit-url: "https://edgebit.edgebit.io"
          token: ${{ secrets.EDGEBIT_TOKEN }}
          component: "enclaver"
          sbom-file: ./sbom.spdx.json
          args-file: ./metadata.json