---
include:
  - remote: https://jobs.just-ci.dev/feat-python-cyclonedx/security/trivy.yml
  - remote: https://jobs.just-ci.dev/feat-python-cyclonedx/python/generic.yml

.freeze-dependencies: &freeze-dependencies
  - python3 -m venv .venv
  - source .venv/bin/activate
  - !reference [".python:pre-install", script]
  - python3 -m pip freeze > ${CI_PROJECT_DIR}/requirements-cyclonedx.txt
  - deactivate

python:cyclonedx:
  extends: .python:pre
  variables:
    JOB_PACKAGE: cyclonedx-bom
  script:
    - !reference [".python:pre", script]
    - *freeze-dependencies
    - cyclonedx-py requirements ${CI_PROJECT_DIR}/requirements-cyclonedx.txt
      --outfile ${CI_PROJECT_DIR}/cyclonedx.json
  artifacts:
    paths:
      - pip-log.txt
      - requirements-cyclonedx.txt
      - cyclonedx.json
    reports:
      cyclonedx:
        - cyclonedx.json
    when: always

trivy:python:
  extends: .trivy:sbom
  variables:
    TRIVY_TARGET: cyclonedx.json
  needs: ["python:cyclonedx"]