Merge pull request #12 from shiftleftcyber/feat/enhanedWorkflows #1

	name: SBOM Generation, Signing, and Verification

	on:
	workflow_dispatch:
	push:
	branches: [ main ]
	tags:
	- 'v*'

	jobs:
	sbom-sign-verify:
	name: 🔏 SBOM Lifecycle
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'
	cache: true

	- name: Generate SBOM (CycloneDX)
	uses: CycloneDX/gh-gomod-generate-sbom@v2
	with:
	version: v1
	args: mod -licenses -json -output-version 1.6 -output sbom-validator.${{ github.ref_name }}.cdx.json

	- name: Sign SBOM
	uses: shiftleftcyber/secure-sbom-action@v1.3.1
	with:
	sbom_file: sbom-validator.${{ github.ref_name }}.cdx.json
	secure_sbom_action: sign
	api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
	key_id: ${{ secrets.SECURE_SBOM_KEYID }}

	- name: Verify SBOM
	uses: shiftleftcyber/secure-sbom-action@v1.3.1
	with:
	sbom_file: sbom-validator.${{ github.ref_name }}.cdx.signed.json
	secure_sbom_action: verify
	api_key: ${{ secrets.SECURE_SBOM_API_KEY }}
	key_id: ${{ secrets.SECURE_SBOM_KEYID }}

	- name: Upload SBOM Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: sbom-artifacts
	path: \|
	sbom-validator.${{ github.ref_name }}.cdx.json
	sbom-validator.${{ github.ref_name }}.cdx.signed.json

	- name: Add Job Summary
	run: \|
	echo "### 🔏 SBOM Lifecycle Completed" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ SBOM generated, signed, and verified successfully" >> $GITHUB_STEP_SUMMARY
	echo "- 📄 Artifacts uploaded for transparency" >> $GITHUB_STEP_SUMMARY

Provide feedback