CD workflow: generate SBOM artifact with least-privilege permissions (#62)

* Initial plan

* feat: generate SBOM and attach as artifact in CD workflow

Co-authored-by: thomasneuberger <23504477+thomasneuberger@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thomasneuberger/TgHomeBot/sessions/919dae8a-b9a6-479b-8135-ed4e6160e078

* Add artifact write permission

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Pin action to SHA

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: remove unneeded id-token and attestations write permissions from CD workflow

Co-authored-by: thomasneuberger <23504477+thomasneuberger@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thomasneuberger/TgHomeBot/sessions/520c83c2-8c1a-4670-ac3e-6cc2fd1abb96

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: thomasneuberger <23504477+thomasneuberger@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.github/workflows/cd.yml

@@ -17,6 +17,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      actions: write
 
     steps:
     - uses: actions/checkout@v4
@@ -54,5 +55,13 @@ jobs:
         tags: ${{ steps.metaApi.outputs.tags }}
         labels: ${{ steps.metaApi.outputs.labels }}
 
+    - name: Generate SBOM
+      uses: anchore/sbom-action@0c39f226e1aa89d60625e475bb6270a458861361
+      with:
+        image: ${{ env.REGISTRY }}/thomasneuberger/tghomebot-api:${{ steps.imageTag.outputs.tag }}
+        artifact-name: sbom-${{ steps.imageTag.outputs.tag }}.spdx.json
+        output-file: sbom.spdx.json
+        format: spdx-json
+
     - name: Output image tag
       run: echo "Image tag ${{ steps.imageTag.outputs.tag }} published" >> $GITHUB_STEP_SUMMARY