diff base main < demo (#87) #86

	name: npm-artifacts
	on:
	push:
	branches:
	- main

	jobs:
	build:
	name: Build
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	attestations: write

	steps:
	- name: Checkout repo
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ".nvmrc"

	- name: Install dependencies
	run: \|
	yarn set version stable
	yarn plugin import https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest/download/yarn-plugin-cyclonedx.cjs

	- name: Build project
	run: \|
	yarn install
	yarn cyclonedx --spec-version 1.6 --output-format JSON --output-file vulnetix.cdx.json

	# - name: Upload semgrep.sarif.json
	# uses: actions/upload-artifact@v4
	# with:
	# name: semgrep_sarif
	# path: semgrep.sarif.json

	- name: Upload vulnetix.cdx.json
	uses: actions/upload-artifact@v4
	with:
	name: cyclonedx
	path: vulnetix.cdx.json

	- name: Generate SBOM attestation
	uses: actions/attest-sbom@v1
	env:
	INPUT_PRIVATE-SIGNING: "true"
	with:
	subject-digest: "sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32"
	subject-name: "subject"
	sbom-path: vulnetix.cdx.json

Provide feedback