From 19e007033cade548ed5817b0df005a090dae4181 Mon Sep 17 00:00:00 2001
From: Alex Rosenzweig <arosenzweig@squareup.com>
Date: Sun, 23 Jun 2024 13:42:02 +1000
Subject: [PATCH] more tweaking

---
 .github/workflows/build_and_publish.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
index 41f341c..605ad7c 100644
--- a/.github/workflows/build_and_publish.yaml
+++ b/.github/workflows/build_and_publish.yaml
@@ -36,6 +36,10 @@ jobs:
         distribution: 'zulu'
         java-version: '17'
         cache: 'gradle'
+      
+    - name: Install Syft
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
@@ -56,7 +60,7 @@ jobs:
     - name: Get Image Digest
       id: image-digest
       run: |
-        DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' {{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }})
+        DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }})
         echo "DIGEST=${DIGEST}" >> $GITHUB_ENV
 
     - name: Sign Docker Image with Cosign
@@ -64,7 +68,7 @@ jobs:
         COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       run: |
          cosign sign --yes --key <(echo "${{ secrets.COSIGN_PRIVATE_KEY }}") ${{ env.DIGEST }}
-      
+
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@0.23.0
       with:
@@ -80,3 +84,6 @@ jobs:
       uses: github/codeql-action/upload-sarif@v2
       with:
         sarif_file: 'trivy-results.sarif'
+
+    - name: Generate SBOM
+      run: syft ghcr.io/shellz-n-stuff/slsa-spring-demo:${{ env.COMMIT_SHA }} -o json > sbom.json
\ No newline at end of file