add workflow

Siedlerchr · Siedlerchr · commit a31869c1b9f9 · 2025-09-12T00:01:32.000+02:00
diff --git a/.github/workflows/sbom-pr.yml b/.github/workflows/sbom-pr.yml
@@ -0,0 +1,68 @@
+name: Update SBOM and open PR
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  generate-and-pr:
+    if: github.repository == 'JabRef/jabref'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+      # Full history is preferred so create-pull-request can diff and commit
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK 24 (Corretto)
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'corretto'
+          java-version: '24'
+          check-latest: true
+          cache: 'gradle'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Generate aggregated CycloneDX SBOM
+        run: ./gradlew --no-daemon cyclonedxBom
+
+      - name: Copy SBOMs to repository root
+        run: |
+          set -euo pipefail
+          src_dir="build/reports/cyclonedx"
+          if [ ! -f "$src_dir/bom.json" ] || [ ! -f "$src_dir/bom.xml" ]; then
+            echo "SBOM files not found in $src_dir" 1>&2
+            ls -la "$src_dir" || true
+            exit 1
+          fi
+          cp "$src_dir/bom.json" ./bom.json
+          cp "$src_dir/bom.xml" ./bom.xml
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(sbom): update CycloneDX SBOM files"
+          committer: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
+          title: "[Bot] Update SBOM files"
+          body: |
+            This automated PR updates the aggregated CycloneDX SBOM files (bom.json and bom.xml) in the repository root.
+
+            Generated via Gradle task `cyclonedxBom` using the org.cyclonedx.bom plugin configured in the build.
+          branch: chore/update-sbom
+          delete-branch: true
+          labels: sbom, dependencies
+          add-paths: |
+            bom.json
+            bom.xml
