From 8c71d5a34421055228f870c96c57a99d52706541 Mon Sep 17 00:00:00 2001
From: Prabhu Subramanian <prabhu@appthreat.com>
Date: Mon, 20 Nov 2023 14:21:38 +0000
Subject: [PATCH] Test oras sbom attach

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
---
 .github/workflows/npm-release.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
index 118de55e28..b9371dfc24 100644
--- a/.github/workflows/npm-release.yml
+++ b/.github/workflows/npm-release.yml
@@ -86,6 +86,14 @@ jobs:
         labels: ${{ steps.meta.outputs.labels }}
         cache-from: type=gha,scope=cdxgen
         cache-to: type=gha,mode=max,scope=cdxgen
+    - name: Attach cdx sbom
+      run: |
+        npm install
+        node bin/cdxgen.js --generate-key-and-sign -t docker -o bom.json --deep ghcr.io/cyclonedx/cdxgen
+        oras attach --artifact-type sbom/cyclonedx --image-spec v1.1-artifact ghcr.io/cyclonedx/cdxgen:${{ steps.meta.outputs.tags }} ./bom.json:application/json
+        oras discover -o tree ghcr.io/cyclonedx/cdxgen:${{ steps.meta.outputs.tags }}
+      env:
+        CDXGEN_DEBUG_MODE: debug
     - name: Extract metadata (tags, labels) for Docker
       id: meta2
       uses: docker/metadata-action@v4