ci: move SBOM upload to release.yml (#1501)

CBenoit · web-flow · commit 5c265d0540db · 2025-09-12T13:42:06.000Z
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -706,13 +706,10 @@ jobs:
           path: jetsocat/nuget/*.nupkg
           if-no-files-found: error
 
-  # FIXME: Looks like the wrong place to _upload_ that. There is no guarantee we actually deploy the package at this point.
   generate-sbom:
-    name: Upload SBOM
+    name: Generate SBOM
     runs-on: ubuntu-latest
     needs: preflight
-    if: ${{ github.ref == 'refs/heads/master' }}
-    environment: sbom
 
     steps:
       - name: Checkout ${{ github.repository }}
@@ -736,28 +733,8 @@ jobs:
       - name: Generate SBOM
         uses: ./.github/workflows/cdxgen
 
-      - name: Save SBOM
+      - name: Save SBOM artifact
         uses: actions/upload-artifact@v4
         with:
-          name: bom.json
+          name: sbom
           path: bom.json
-
-      - name: Upload SBOM to OneDrive Releases
-        uses: ./.github/workflows/onedrive-upload
-        with:
-          azure_client_id: ${{ secrets.ONEDRIVE_AUTOMATION_CLIENT_ID }}
-          azure_client_secret: ${{ secrets.ONEDRIVE_AUTOMATION_CLIENT_SECRET }}
-          conflict_behavior: replace
-          destination_path: /Gateway/${{ needs.preflight.outputs.version }}
-          remote: releases
-          source_path: bom.json
-
-      - name: Upload SBOM to Dependency-Track
-        uses: ./.github/workflows/dtrack-upload-sbom
-        with:
-          api_key: ${{ secrets.DTRACK_AUTOMATION_API_KEY }}
-          autocreate: 'true'
-          bom_filename: bom.xml
-          project_name: devolutions-gateway
-          project_version: ${{ needs.preflight.outputs.version }}
-          server_hostname: 'dtrack-api.devolutions.com'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -464,3 +464,35 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
         run: ./ci/remove-labels.ps1 -Label 'release-required'
 
+  upload-sbom:
+    name: Upload SBOM
+    runs-on: ubuntu-latest
+    needs: preflight
+    if: needs.preflight.outputs.skip-publishing == 'false' && inputs.dry-run == false
+    environment: sbom
+
+    steps:
+      - name: Download SBOM artifact
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh run download ${{ steps.get-run.outputs.run }} -n sbom --repo $Env:GITHUB_REPOSITORY
+
+      - name: Upload SBOM to OneDrive Releases
+        uses: ./.github/workflows/onedrive-upload
+        with:
+          azure_client_id: ${{ secrets.ONEDRIVE_AUTOMATION_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.ONEDRIVE_AUTOMATION_CLIENT_SECRET }}
+          conflict_behavior: replace
+          destination_path: /Gateway/${{ needs.preflight.outputs.version }}
+          remote: releases
+          source_path: bom.json
+
+      - name: Upload SBOM to Dependency-Track
+        uses: ./.github/workflows/dtrack-upload-sbom
+        with:
+          api_key: ${{ secrets.DTRACK_AUTOMATION_API_KEY }}
+          autocreate: 'true'
+          bom_filename: bom.xml
+          project_name: devolutions-gateway
+          project_version: ${{ needs.preflight.outputs.version }}
+          server_hostname: 'dtrack-api.devolutions.com'
