From 74b341cc5aa62077bc7892cddfec7d8868877215 Mon Sep 17 00:00:00 2001
From: Eduard Kovalets <eduard.kovalets@mongodb.com>
Date: Thu, 20 Nov 2025 08:44:42 +0000
Subject: [PATCH 1/3] NODE-7025: New SBOM generation workflow on dependencies
 change

---
 .github/actions/sbom-update/action.yml |  27 ++++++
 .github/actions/setup-sbom/action.yml  |  19 +++++
 .github/actions/setup/action.yml       |  19 +++++
 .github/workflows/sbom.yml             | 113 +++++++++++++++++++++++++
 4 files changed, 178 insertions(+)
 create mode 100644 .github/actions/sbom-update/action.yml
 create mode 100644 .github/actions/setup-sbom/action.yml
 create mode 100644 .github/actions/setup/action.yml
 create mode 100644 .github/workflows/sbom.yml

diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml
new file mode 100644
index 0000000000..d826c33e36
--- /dev/null
+++ b/.github/actions/sbom-update/action.yml
@@ -0,0 +1,27 @@
+name: Generate SBOM
+description: Generates CycloneDX SBOM using cdxgen
+inputs:
+  output-file:
+    description: "Output filename for the SBOM"
+    required: false
+    default: "sbom.json"
+
+runs:
+  using: composite
+  steps:
+    - name: Generate SBOM
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        echo "Generating SBOM for 'node' project..."
+        cdxgen -t 'node' --spec-version 1.5 --json-pretty -o ${{ inputs.output-file }} .
+
+    - name: Validate SBOM
+      shell: bash
+      run: |
+        if [ ! -f "${{ inputs.output-file }}" ]; then
+          echo "Error: SBOM file not found"
+          exit 1
+        fi
+        
+        echo "SBOM file validated: ${{ inputs.output-file }}"
\ No newline at end of file
diff --git a/.github/actions/setup-sbom/action.yml b/.github/actions/setup-sbom/action.yml
new file mode 100644
index 0000000000..2502fd9a99
--- /dev/null
+++ b/.github/actions/setup-sbom/action.yml
@@ -0,0 +1,19 @@
+name: Setup PHP SBOM
+description: Sets up environment for generating SBOM in PHP projects
+inputs:
+  working-directory:
+    description: "The directory where composer.json is located"
+    required: false
+    default: "."
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js (for cdxgen)
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Install cdxgen
+      shell: bash
+      run: npm install -g @cyclonedx/cdxgen
\ No newline at end of file
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
new file mode 100644
index 0000000000..e865cbc789
--- /dev/null
+++ b/.github/actions/setup/action.yml
@@ -0,0 +1,19 @@
+name: Setup Node SBOM
+description: Sets up environment for generating SBOM in Node.js projects
+inputs:
+  working-directory:
+    description: "The directory where package.json is located"
+    required: false
+    default: "."
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js (for cdxgen)
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Install cdxgen
+      shell: bash
+      run: npm install -g @cyclonedx/cdxgen
\ No newline at end of file
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 0000000000..ec50bfb979
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,113 @@
+name: Post-Merge SBOM Update
+
+on:
+  push:
+    branches: 
+      - main
+    paths:
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+env:
+  SBOM_FILE: "sbom.json"
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sbom:
+    name: Generate SBOM and Create PR
+    runs-on: ubuntu-latest
+    
+    concurrency:
+      group: sbom-${{ github.ref }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout repository (Base Branch)
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.base.ref || github.ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Node and dependencies
+        uses: mongodb-labs/drivers-github-tools/node/setup@v3
+        with:
+          ignore_install_scripts: false
+
+      - name: Load version and package info
+        uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3
+        with:
+          npm_package_name: mongodb
+
+      - name: Generate/Update package-lock.json
+        run: |
+          echo "Resolving dependencies and generating package-lock.json..."
+          npm install --package-lock-only
+          echo "package-lock.json generated with resolved versions"
+
+      - name: Setup SBOM environment
+        uses: ./.github/actions/setup-sbom
+
+      - name: Generate SBOM
+        uses: ./.github/actions/sbom-update
+        with:
+          output-file: ${SBOM_FILE}
+
+      - name: Check for Changes in sbom.json
+        id: git_status
+        run: |
+          # Filter to remove/normalize serialNumber and timestamp fields
+          JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
+          
+          # Check if the base file exists in Git (to prevent errors on first commit)
+          if ! git show HEAD:$SBOM_FILE > /dev/null 2>&1; then
+              echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+              exit 0
+          fi
+          
+          # Compare the normalized committed version vs. the normalized current version
+          if diff -q \
+             <(git show HEAD:$SBOM_FILE | jq -r "$JQ_NORMALIZER") \
+             <(cat $SBOM_FILE | jq -r "$JQ_NORMALIZER"); then
+             
+             echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT
+             echo "No changes detected in sbom.json"
+          else
+             echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+             echo "Changes detected in sbom.json"
+          fi
+
+      - name: Create Pull Request
+        if: steps.git_status.outputs.HAS_CHANGES == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: update SBOM after dependency changes'
+          branch: auto-update-sbom-${{ github.run_id }}
+          delete-branch: true
+          title: 'chore: Update SBOM'
+          body: |
+            ## Automated SBOM Update
+            
+            This PR was automatically generated because package files changed.
+            
+            ### Environment
+            - Node.js version: ${{ steps.versions.outputs.node-version }}
+            
+            ### Changes
+            - Updated `sbom.json` to reflect current dependencies
+            
+            ### Verification
+            The SBOM was generated using CycloneDX NPM.
+
+            ### Triggered by
+            - Commit: ${{ github.sha }}
+            - Workflow run: ${{ github.run_id }}
+            
+            ---
+            _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_
+          labels: |
+            sbom
+            automated
+            dependencies
\ No newline at end of file

From c32122b8c950ecf412a3964a24e167392952c7a6 Mon Sep 17 00:00:00 2001
From: Eduard Kovalets <eduard.kovalets@mongodb.com>
Date: Tue, 2 Dec 2025 08:54:09 +0000
Subject: [PATCH 2/3] NODE-7025: Using cyclone npm

---
 .github/actions/sbom-update/action.yml | 2 +-
 .github/actions/setup-sbom/action.yml  | 5 ++---
 .github/workflows/sbom.yml             | 2 ++
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/actions/sbom-update/action.yml b/.github/actions/sbom-update/action.yml
index d826c33e36..adad518e7d 100644
--- a/.github/actions/sbom-update/action.yml
+++ b/.github/actions/sbom-update/action.yml
@@ -14,7 +14,7 @@ runs:
       working-directory: ${{ inputs.working-directory }}
       run: |
         echo "Generating SBOM for 'node' project..."
-        cdxgen -t 'node' --spec-version 1.5 --json-pretty -o ${{ inputs.output-file }} .
+        npx @cyclonedx/cyclonedx-npm --output-file sbom.json --output-format json --spec-version 1.5
 
     - name: Validate SBOM
       shell: bash
diff --git a/.github/actions/setup-sbom/action.yml b/.github/actions/setup-sbom/action.yml
index 2502fd9a99..e89c73dcc5 100644
--- a/.github/actions/setup-sbom/action.yml
+++ b/.github/actions/setup-sbom/action.yml
@@ -14,6 +14,5 @@ runs:
       with:
         node-version: '20'
 
-    - name: Install cdxgen
-      shell: bash
-      run: npm install -g @cyclonedx/cdxgen
\ No newline at end of file
+    - name: Install dependencies
+      run: npm ci
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index ec50bfb979..ac77d44075 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -84,6 +84,8 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'chore: update SBOM after dependency changes'
+          add-paths: |
+            sbom.json
           branch: auto-update-sbom-${{ github.run_id }}
           delete-branch: true
           title: 'chore: Update SBOM'

From 46659eebc192a6f3bfccb596c957de1e47d14d2d Mon Sep 17 00:00:00 2001
From: Eduard Kovalets <eduard.kovalets@mongodb.com>
Date: Tue, 2 Dec 2025 08:56:49 +0000
Subject: [PATCH 3/3] NODE-7025: Shell use fix

---
 .github/actions/setup-sbom/action.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/actions/setup-sbom/action.yml b/.github/actions/setup-sbom/action.yml
index e89c73dcc5..3f8fa173ed 100644
--- a/.github/actions/setup-sbom/action.yml
+++ b/.github/actions/setup-sbom/action.yml
@@ -15,4 +15,5 @@ runs:
         node-version: '20'
 
     - name: Install dependencies
+      shell: bash
       run: npm ci