name: Generate SBOM

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:

jobs:
  generate-sbom:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: https://git.quad4.io/actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          ref: ${{ github.ref }}

      - name: Setup Go
        uses: https://git.quad4.io/actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
        with:
          go-version: '1.25.5'

      - name: Setup Task
        uses: https://git.quad4.io/actions/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1
        with:
          version: '3.46.3'

      - name: Setup environment
        run: task setup

      - name: Install dependencies
        run: task install:ci

      - name: Download Trivy
        run: |
          curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Extra/assets/raw/commit/90fdcea1bb71d91df2de6ff2e3897f278413f300/bin/trivy_0.68.2_Linux-64bit.deb
          sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y

      - name: Generate SBOM
        run: |
          mkdir -p sbom
          trivy fs --format spdx-json --include-dev-deps --output sbom/sbom.spdx.json .
          trivy fs --format cyclonedx --include-dev-deps --output sbom/sbom.cyclonedx.json .

      - name: Commit and Push Changes
        run: |
          git config --global user.name "Gitea Action"
          git config --global user.email "actions@noreply.quad4.io"
          git remote set-url origin https://${{ secrets.GITEA_TOKEN }}@git.quad4.io/${{ github.repository }}.git
          git fetch origin main
          git checkout main
          git add sbom/
          git diff --quiet && git diff --staged --quiet || (git commit -m "Auto-update SBOM [skip ci]" && git push origin main)
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}