ci(SBOM): better SBOM maintenance

.github/workflows/sbom.yml

@@ -1,6 +1,7 @@
 name: SBOM generation
 
 on:
+  workflow_dispatch:
   schedule:
     # Runs at 02:00 UTC every Monday
     - cron: '2 0 * * 1'
@@ -9,45 +10,51 @@ jobs:
   sbom_gen:
     name: Generate SBOM
     runs-on: ubuntu-latest
-    timeout-minutes: 10
-    continue-on-error: true
+    strategy:
+      matrix:
+        python: ['3.7', '3.8', '3.9', '3.10', '3.11']
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
-          python-version: '3.x'
+          python-version: ${{ matrix.python }}
           cache: 'pip'
           cache-dependency-path: '**/requirements.txt'
-      - name: Get date
-        id: get-date
-        run: |
-          echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
-      - name: Get cached database
-        uses: actions/cache@v3
-        with:
-          path: ~/.cache/cve-bin-tool
-          key: ${{ runner.os }}-cve-bin-tool-${{ steps.get-date.outputs.date }}
       - name: Install dependencies and cve-bin-tool
         run: |
           python -m pip install --upgrade pip
           python -m pip install --upgrade setuptools
           python -m pip install --upgrade wheel
-          python -m pip install --upgrade pytest
           python -m pip install --upgrade sbom4python
-          pip install . -r doc/requirements.txt
+          pip install . --upgrade --upgrade-strategy=eager
       - name: Generate SBOM for cve-bin-tool
         run: |
-          sbom4python --module cve-bin-tool --output sbom/cve-bin-tool.spdx
-          sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output sbom/cve-bin-tool.json
-#      - name: Compare SBOM for cve-bin-tool
-#        # This would fail due to time/date of SBOM generation in SBOM header
-#        # Therefore ignore first 10 lines of file in comparison which is SBOM header
-#        run: |
-#          /bin/tail -n +10 sbom/cve-bin-tool.spdx > orig
-#          /bin/tail -n +10 cve-bin-tool.spdx > new
-#          /bin/diff -b orig new
-#      - name: Display generated SBOM if difference detected
-#        if: ${{ failure() }}
-#        run: |
-#          /bin/cat cve-bin-tool.spdx
-
+          sbom4python --module cve-bin-tool --output cve-bin-tool-py${{ matrix.python }}.spdx
+          sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output cve-bin-tool-py${{ matrix.python }}.json
+      - name: Compare SBOM for cve-bin-tool
+        id: diff-sbom
+        # This would fail due to time/date of SBOM generation in SBOM header
+        # Therefore ignore first 10 lines of file in comparison which is SBOM header
+        run: |
+          /bin/tail -n +10 sbom/cve-bin-tool-py${{ matrix.python }}.spdx > orig
+          /bin/tail -n +10 cve-bin-tool-py${{ matrix.python }}.spdx > new
+          echo "changed=$(/bin/diff -q orig new)" >> $GITHUB_OUTPUT
+      - name: Display generated SBOM if difference detected
+        if: ${{ steps.diff-sbom.outputs.changed }}
+        run: |
+          /bin/cat cve-bin-tool-py${{ matrix.python }}.spdx
+      - name: Update existing SBOM if difference detected
+        if: ${{ steps.diff-sbom.outputs.changed }}
+        run: |
+          cp cve-bin-tool-py${{ matrix.python }}.spdx sbom/cve-bin-tool-py${{ matrix.python }}.spdx
+          cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json
+      - name: Create Pull Request
+        if: ${{ steps.diff-sbom.outputs.changed }}
+        uses: peter-evans/create-pull-request@v4
+        with:
+          commit-message: "chore: update SBOM for Python ${{ matrix.python }}"
+          title: "chore: update SBOM for Python ${{ matrix.python }}"
+          branch: chore-sbom-py${{ matrix.python }}
+          delete-branch: true
+          author: GitHub <[email protected]>
+          add-paths: sbom