feat: publish SBOMs (#1380)

While clearly not perfect, I think we should start growing
towards publishing valid SBOMs for our artifacts, and
publishing these is a good first step in that direction.

Author: raboof

project/PekkoBuild.scala

@@ -20,6 +20,7 @@ import sbt.Keys._
 import sbt._
 import sbtassembly.AssemblyPlugin.autoImport._
 import sbtwelcome.WelcomePlugin.autoImport._
+import _root_.io.github.siculo.sbtbom.BomSbtPlugin.autoImport.makeBom
 
 import java.io.FileInputStream
 import java.io.InputStreamReader
@@ -267,6 +268,10 @@ object PekkoBuild {
     mavenLocalResolverSettings,
     docLintingSettings,
     JdkOptions.targetJdkSettings,
+    // needed until https://github.com/siculo/sbt-bom/pull/57 has been merged
+    packagedArtifacts += {
+      Artifact(artifact.value.name, "cyclonedx", "xml") -> makeBom.value
+    },
     // a workaround for https://github.com/akka/akka/issues/27661
     // see also project/Protobuf.scala that introduces /../ to make "intellij happy"
     MultiJvm / assembly / fullClasspath := {

project/plugins.sbt

@@ -30,6 +30,7 @@ addSbtPlugin("com.github.pjfanning" % "sbt-pekko-build" % "0.3.4")
 addSbtPlugin("com.github.reibitto" % "sbt-welcome" % "0.4.0")
 addSbtPlugin("com.github.sbt" % "sbt-license-report" % "1.6.1")
 addSbtPlugin("io.github.roiocam" % "sbt-depend-walker" % "0.1.1")
+addSbtPlugin("io.github.siculo" % "sbt-bom" % "0.3.0")
 
 addSbtPlugin("org.apache.pekko" % "pekko-sbt-paradox" % "1.0.1")