Full featured branch #1

	name: Validate SPDX Conformance

	on:
	pull_request:
	branches:
	- 'main'

	permissions: {}

	jobs:
	check-spdx:
	name: Check SPDX SBOMs
	runs-on: ubuntu-latest

	permissions:
	contents: read

	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- name: Extract version of Go to use
	run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile.dev)" >> $GITHUB_ENV

	- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
	with:
	go-version: '${{ env.GOVERSION }}'
	check-latest: true
	cache: false

	- run: \|
	go run ./cmd/bom/main.go generate -i registry.k8s.io/pause > example-image-pause.spdx
	go run ./cmd/bom/main.go generate --format=json -i registry.k8s.io/pause > example-image-pause.spdx.json

	- uses: chainguard-dev/actions/setup-spdx@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8
	with:
	spdx-tools-version: 1.1.8

	- uses: chainguard-dev/actions/setup-spdx@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8
	with:
	download: false
	spdx-tools-version: 1.1.8
	sbom-path: example-image-pause.spdx

	- uses: chainguard-dev/actions/setup-spdx@abcc11e1cf9073eff6c69e91c49756c1430b094c # v1.5.8
	with:
	download: false
	spdx-tools-version: 1.1.8
	sbom-path: example-image-pause.spdx.json

	- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	if: ${{ always() }}
	with:
	name: Example SBOMs
	path: \|
	example-image-pause.spdx
	example-image-pause.spdx.json

Provide feedback