Merge "Fix: Update lf-activate-env code comment"

diff --git a/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml
new file mode 100644 (file)
index 0000000..02ae458
--- /dev/null
+++ b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Copy SBOM report to the project's m2repo so that is signed by
+    SIGUL and pushed in the same staging package as the maven
+    artifacts.

diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh
index 9b77dcc..913a639 100644 (file)
--- a/shell/sbom-generator.sh
+++ b/shell/sbom-generator.sh
@@ -33,6 +33,7 @@ echo "INFO: running spdx-sbom-generator"
 cd ${SBOM_PATH}
 ./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
 mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
+cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}"
 mv spdx-sbom-generator /tmp/
 rm /tmp/spdx*
 echo "---> sbom-generator.sh ends"