Add SBOM Test to GitHub Workflow

[rsh1k]

This pull request introduces a Software Bill of Materials (SBOM) test into our GitHub Actions workflow.

Summary of Changes:

1. Added a new file in the workflow to run the SBOM test.

Details:

1. The SBOM test step ensures that all dependencies used in the project are listed and validated against our security and compliance requirements.
2. This integration uses anchor-syft to generate and check the SBOM for any issues.

Benefits:

1. Enhanced Security: Helps identify and manage vulnerabilities in third-party dependencies.
2. Compliance: Assists in meeting regulatory and organizational requirements for software transparency.
3. Automation: Streamlines the process of verifying dependency information as part of our CI/CD pipeline.

[mbiuki]

Resolves #29443

[mbiuki]

@jdcmsd - this is the PR for sbom ticket that we discussed yesterday. Please review.
I am still not sure if we would have to generate sbom in core-test-repo. Also when bom generated, do we need a new folder. Some housekeeping stuff like so we would have to decide. Please put your comments here, thanks.

[sfreudenthaler]

Left some comments that hopefully advance this a bit. I'd like to get 👀 and approval from one of our folks more active in the github actions and pipelines codebase.

I also notice that for this PR, it doesn't have any changes in existing workflows to have it generated. So to generate an SBOM, someone would have to go invoke the workflow manually. I think it'd be better to have this get invoked on every release automatically.

[rsh1k]

@sfreudenthaler @mbiuki This step will execute the code automatically whenever there is a new version published in the github.
on: release: types: [published]

You don't need to run the code manually. The default version in the code is just to test if the workflow works as expected.

[sfreudenthaler]

@sfreudenthaler @mbiuki This step will execute the code automatically whenever there is a new version published in the github.

`on:

release:

types: [published]`

You don't need to run the code manually. The default version in the code is just to test if the workflow works as expected.

Oh shoot. Missed the trigger good point.

I still don't like the default and possible unintended behaviour. I'd like to see us find a different way to test. Maybe folks have some other ideas? If not, we're releasing 2 times a week in average. So you shouldn't have to wait long to get feedback.

[sfreudenthaler]

I'd like to see us get some sort of breadcrumb to troubleshoot with if the input.dotcms_version isn't provided or able to be retrieved.

Left a comment in the discussion already but maybe changing the default value to something like no value provided for dotcms_version would do the trick.

[rsh1k]

I'd like to see us get some sort of breadcrumb to troubleshoot with if the input.dotcms_version isn't provided or able to be retrieved.

Left a comment in the discussion already but maybe changing the default value to something like no value provided for dotcms_version would do the trick.

This is the message shown when no version is entered. We can change the message to appear different or we remove the code altogether.

Maybe we say Enter the dotCMS version: vYY.MM.DD instead of putting the default version.

[sfreudenthaler]

Maybe we say Enter the dotCMS version: vYY.MM.DD instead of putting the default version.

I like it! Thanks for your patience with me on this

[sfreudenthaler]

Thanks. Let's get this in here and give it a go. Probably some tweaking needed after we start using it.

[spbolton]

If you could just change the workflow name so it fits with the new naming structure I have In my PR. This would be legacy-release_sbom-generator.yaml

The underscore acts like a path separator and this groups it with the existing release workflows we have not yet moved to the new modular structure.

I am fine this going in so we can see how it works otherwise.

To prevent this from being merged I will push this in then modify the filename In my PR as mine still has to wait for approvals anyway. #29506

[dotcms-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[spbolton]

Will update the filename within this PR #29506