Add secure-sbom workflow for SBOM signing

.github/workflows/gen_and_sign_sbom.yml

@@ -0,0 +1,93 @@
+name: Generate and Sign SBOM
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  SBOM_OUTPUT: sbom-source.json
+
+jobs:
+  generate-sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Set SBOM file name
+        run: |
+          SAFE_REF_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
+          SAFE_REF_NAME="${SAFE_REF_NAME//\//-}"
+          echo "SBOM_NAME=sbom-validator.${SAFE_REF_NAME}.cdx.json" >> $GITHUB_ENV
+          echo "sbom-validator.${SAFE_REF_NAME}.cdx.json" > sbom_filename.txt
+
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          version: v1
+          args: mod -licenses -json -output-version 1.6 -output ${{ env.SBOM_NAME }}
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-sbom
+          path: ${{ env.SBOM_NAME }}
+
+      - name: Upload SBOM filename
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-filename
+          path: sbom_filename.txt
+
+  sign-and-archive-sbom:
+    name: Sign and Archive SBOM
+    needs: generate-sbom
+    runs-on: ubuntu-latest
+    env:
+      SIGN_API_URL: https://secure-sbom-api-demo-slc-gateway-dhncnyq8.uc.gateway.dev/signdx
+      SECURE_SBOM_KEY_ID: ${{ secrets.SECURE_SBOM_KEY_ID }}
+
+    steps:
+      - name: Download unsigned SBOM artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned-sbom
+
+      - name: Download SBOM filename
+        uses: actions/download-artifact@v4
+        with:
+            name: sbom-filename
+
+      - name: Set SBOM_FILENAME env var
+        run: echo "SBOM_FILENAME=$(cat sbom_filename.txt)" >> $GITHUB_ENV
+
+      - name: Sign SBOM using Secure SBOM API
+        run: |
+          curl --fail -s -X POST ${SIGN_API_URL}?sigType=simple \
+            -F "keyid=${SECURE_SBOM_KEY_ID}" \
+            -F "file=@${{ env.SBOM_FILENAME }}" \
+            -o tmp.cdx.signed.json
+
+      - name: Rename signed SBOM to follow naming convention
+        run: |
+          SIGNED_SBOM_NAME="${SBOM_FILENAME%.cdx.json}.cdx.signed.json"
+          mv tmp.cdx.signed.json "$SIGNED_SBOM_NAME"
+          echo "SIGNED_SBOM_NAME=$SIGNED_SBOM_NAME" >> $GITHUB_ENV
+
+      - name: Upload signed SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: signed-sbom
+          path: ${{ env.SIGNED_SBOM_NAME }}
+          retention-days: 7