ci: Generate SBOM (#245)

## This PR
Generates Software Bill of Materials (SBOM) as described in #159. Once
NuGet/Home#12497 is implemented, the SBOM
file(s) should be embedded in the published nuget packages. Until then,
I've added the SBOM as an asset under the release.

### Known issue
The SBOM file lists the dependences for all target frameworks combined.
Once the above [NuGet ](NuGet/Home#12497
is implemented, it should be changed, so there is one sbom created for
each target framework with only the applicable references included.

### Related Issues
Fixes #159

### How to test
Unfortunately, this is somewhat cumbersome to test, as the logic in
question only kicks in upon a release from the main branch. I've tested
it myself this way:
- Create new fork of this repo
- Merge this branch to main in the new repo
- Create a release in the new repo

Signed-off-by: Jens Henneberg <[email protected]>
Co-authored-by: André Silva <[email protected]>

Author: jenshenneberg

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - main
 
 jobs:
-  release-package:
+  release-please:
     runs-on: ubuntu-latest
 
     steps:
@@ -16,14 +16,21 @@ jobs:
           command: manifest
           token: ${{secrets.GITHUB_TOKEN}}
           default-branch: main
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      release_tag_name: ${{ steps.release.outputs.tag_name }}
 
+  release:
+    runs-on: ubuntu-latest
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+
+    steps:
       - uses: actions/checkout@v4
-        if: ${{ steps.release.outputs.releases_created }}
         with:
           fetch-depth: 0
 
       - name: Setup .NET SDK
-        if: ${{ steps.release.outputs.releases_created }}
         uses: actions/setup-dotnet@v4
         env:
           NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -34,13 +41,33 @@ jobs:
           source-url: https://nuget.pkg.github.com/open-feature/index.json
 
       - name: Install dependencies
-        if: ${{ steps.release.outputs.releases_created }}
         run: dotnet restore
 
       - name: Pack
-        if: ${{ steps.release.outputs.releases_created }}
         run: dotnet pack --no-restore
 
       - name: Publish to Nuget
-        if: ${{ steps.release.outputs.releases_created }}
         run: dotnet nuget push "src/**/*.nupkg" --api-key "${{ secrets.NUGET_TOKEN }}" --source https://api.nuget.org/v3/index.json
+
+  sbom:
+    runs-on: ubuntu-latest
+    needs: release-please
+    continue-on-error: true
+    if: ${{ needs.release-please.outputs.release_created }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install CycloneDX.NET
+        run: dotnet tool install CycloneDX
+
+      - name: Generate .NET BOM
+        run: dotnet CycloneDX --json --exclude-dev -sv "${{ needs.release-please.outputs.release_tag_name }}" ./src/OpenFeature/OpenFeature.csproj
+
+      - name: Attach SBOM to artifact
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run:
+          gh release upload ${{ needs.release-please.outputs.release_tag_name }} bom.json