Scan latest release SBOM #7

	name: Scan latest release SBOM

	# Find the latest release, pull its SBOM (if it exists), and scan the result.

	on:
	workflow_dispatch:

	jobs:
	find-release-and-sboms:
	runs-on: ubuntu-latest
	outputs:
	sbom-array: ${{ steps.find-release-sboms.outputs.SBOM_URL_ARRAY}}
	steps:
	- name: Determine last release
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	gh version
	LATEST_RELEASE=$(\
	gh release list \
	--repo ${{ github.repository }} \
	--json tagName,name,isLatest \
	--jq '.[] \| select(.isLatest==true) \| .tagName')
	echo LATEST_RELEASE="${LATEST_RELEASE}" \| tee -a $GITHUB_ENV

	- name: Find Release SBOM
	id: find-release-sboms
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	SBOM_URL_ARRAY=$(gh release view "${LATEST_RELEASE}" \
	--repo ${{ github.repository }} \
	--json assets \
	--jq '[.assets[] \| select(.name \| contains("sbom")) \| .url]')
	echo SBOM_URL_ARRAY="${SBOM_URL_ARRAY}" \| tee -a $GITHUB_OUTPUT
	pull-and-scan:
	runs-on: ubuntu-latest
	needs: [find-release-and-sboms]
	strategy:
	matrix:
	url: ${{ fromJson(needs.find-release-and-sboms.outputs.sbom-array) }}
	steps:
	- name: check matrix
	run: \|
	echo ${{ matrix.url }}

Provide feedback