From 4874ca099d8b273be5d97ed13de706b7c4ee6a08 Mon Sep 17 00:00:00 2001
From: stephenminakian <stephenminakian@gmail.com>
Date: Thu, 3 Jul 2025 09:06:05 -0600
Subject: [PATCH] Debug sbom upload

---
 .gitea/workflows/ci-cd.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 1162b26..4887320 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -143,11 +143,20 @@ jobs:
           
           echo "SBOM generated successfully"
 
-      - name: Upload SBOM
-        uses: actions/upload-artifact@v3
-        with:
-          name: sbom
-          path: sbom.spdx.json
+      - name: Upload SBOM to Harbor via ORAS
+        run: |
+          curl -sSL https://install.oras.land/install.sh | sh -s -- -b /usr/local/bin
+
+          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+
+          # Authenticate (ensure $HARBOR_USERNAME and $HARBOR_TOKEN are exported already)
+          echo "${{ secrets.HARBOR_TOKEN }}" | oras login ${{ env.REGISTRY }} -u '${{ secrets.HARBOR_USERNAME }}' --password-stdin
+
+          # Push the SBOM attached to the image
+          oras push $IMAGE \
+            --artifact-type application/spdx+json \
+            --subject $IMAGE \
+            sbom.spdx.json:application/spdx+json
 
   # Job 4: Image Security Scan
   # scan: