.github/workflows/test-action.yml

name: Test action
on:
  pull_request:
  push:
    branches: [ '**' ]
  release:
    types:
      - created
  workflow_dispatch:

jobs:
  test-action:
    permissions:
      id-token: write
      contents: write
    name: Test SonarSource/gh-action_sbom on alpine:latest
    runs-on: ubuntu-latest
    steps:
      - name: get secrets
        id: secrets
        uses: SonarSource/vault-action-wrapper@d6d745ffdbc82b040df839b903bc33b5592cd6b0 # 3.0.2
        with:
          secrets: |
            development/kv/data/sign passphrase | gpg_passphrase;
            development/kv/data/sign key | gpg_key;
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: ./
      - uses: ./ # SonarSource/gh-action_sbom
        with:
          image: alpine:latest
          filename: test-action-bom.json
          upload-artifact: true
          upload-release-assets: true
        env:
          GPG_PRIVATE_KEY_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).gpg_passphrase }}
          GPG_PRIVATE_KEY_BASE64: ${{ fromJSON(steps.secrets.outputs.vault).gpg_key }}
      - run: |
          test -f test-action-bom.json.asc
          echo "test-action-bom.json:"
          head test-action-bom.json
      - uses: ./ # SonarSource/gh-action_sbom
        with:
          image: alpine:latest
          filename: test2-action-bom.json
          upload-artifact: false
          upload-release-assets: false