Add on-demand SBOM generation workflow

- Adds `score_sbom` as a Bazel module dependency (via `git_override`)
- Adds a root `reference_integration_sbom` Bazel target covering the core
  Rust showcase binaries (`//showcases/cli:cli`,
  `//showcases/orchestration_persistency:orch_per_example`)
- Adds `.github/workflows/generate_sbom.yml` triggered only on
  `workflow_dispatch` (on-demand)

What the workflow does:
1. Builds SPDX 2.3 + CycloneDX 1.6 SBOMs via
   `bazel build //:reference_integration_sbom`
2. Uploads both files as a GitHub Actions artifact (`sbom-<sha>`,
   retained 90 days)
3. Converts the SPDX output to GitHub Dependency Submission API format
   and submits it — enables Dependabot vulnerability alerts on the
   declared dependencies

Workflow improvements over initial draft:
- Use `astral-sh/setup-uv@v7.6.0` instead of `curl | sh` for
  reproducible, supply-chain-safe uv installation
- Add `apt-get update` before `apt-get install` to prevent intermittent
  failures on rotating runner images
- Invoke SPDX→snapshot converter via
  `bazel run @score_sbom//scripts:spdx_to_github_snapshot_bin` instead
  of reaching into Bazel's internal output_base directory; the required
  `py_binary` target is added in eclipse-score/sbom-tool#2
- Update header comment to accurately reflect that dependency snapshot
  submission always runs
- Use absolute paths (`$GITHUB_WORKSPACE`) for bazel run invocations

Author: Lukasz-Juranek

.github/workflows/generate_sbom.yml

@@ -0,0 +1,87 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+# SBOM Generation Workflow
+#
+# Summary:
+#   Generates a Software Bill of Materials (SPDX 2.3 + CycloneDX 1.6) for the
+#   core showcase Bazel targets and stores the results as a GitHub Actions
+#   artifact. Submits the SPDX snapshot to the GitHub Dependency Submission API
+#   to enable Dependabot vulnerability alerts.
+#
+# Triggers:
+#   - workflow_dispatch (on-demand only)
+#
+# Outputs:
+#   - Artifact "sbom-<sha>": reference_integration_sbom.spdx.json +
+#     reference_integration_sbom.cdx.json (retained 90 days)
+#   - GitHub Dependency Graph snapshot (enables Dependabot alerts per commit)
+#
+# Covered targets:
+#   - //showcases/cli:cli
+#   - //showcases/orchestration_persistency:orch_per_example
+name: Generate SBOM
+on:
+  workflow_dispatch:
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # required for GitHub Dependency Submission API
+    steps:
+      - name: Clean disk space
+        uses: eclipse-score/more-disk-space@v1
+      - name: Checkout repository
+        uses: actions/checkout@v4.2.2
+      - name: Setup Bazel
+        uses: bazel-contrib/setup-bazel@0.18.0
+        with:
+          bazelisk-cache: true
+          disk-cache: ${{ github.workflow }}
+          repository-cache: true
+          cache-save: true
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.6.0
+      - name: Install Java for Rust crate metadata
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends openjdk-11-jre-headless
+      - name: Build SBOM
+        run: bazel build --lockfile_mode=error //:reference_integration_sbom
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ github.sha }}
+          path: |
+            bazel-bin/reference_integration_sbom.spdx.json
+            bazel-bin/reference_integration_sbom.cdx.json
+          retention-days: 90
+      - name: Convert SPDX to GitHub Dependency snapshot
+        run: |
+          bazel run @score_sbom//scripts:spdx_to_github_snapshot_bin -- \
+            --input "$GITHUB_WORKSPACE/bazel-bin/reference_integration_sbom.spdx.json" \
+            --output "$GITHUB_WORKSPACE/snapshot.json" \
+            --sha "${{ github.sha }}" \
+            --ref "${{ github.ref }}" \
+            --job-correlator "generate-sbom" \
+            --job-id "${{ github.run_id }}"
+      - name: Submit to GitHub Dependency Submission API
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const snapshot = JSON.parse(fs.readFileSync(process.env.GITHUB_WORKSPACE + '/snapshot.json', 'utf8'));
+            await github.rest.dependencyGraph.createRepositorySnapshot({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ...snapshot,
+            });

BUILD

@@ -12,6 +12,7 @@
 # *******************************************************************************
 
 load("@score_docs_as_code//:docs.bzl", "docs")
+load("@score_sbom//:defs.bzl", "sbom")
 load("@score_tooling//:defs.bzl", "copyright_checker", "setup_starpls", "use_format_targets")
 
 # Docs-as-code
@@ -69,3 +70,15 @@ exports_files([
     "MODULE.bazel",
     "pyproject.toml",
 ])
+
+# SBOM for core showcase targets
+sbom(
+    name = "reference_integration_sbom",
+    auto_crates_cache = True,
+    component_name = "score_reference_integration",
+    module_lockfiles = [":MODULE.bazel.lock"],
+    targets = [
+        "//showcases/cli:cli",
+        "//showcases/orchestration_persistency:orch_per_example",
+    ],
+)

MODULE.bazel

@@ -60,6 +60,18 @@ git_override(
     remote = "https://github.com/bmw-software-engineering/trlc.git",
 )
 
+# SBOM generation
+bazel_dep(name = "score_sbom")
+git_override(
+    module_name = "score_sbom",
+    commit = "1adca3f11116f3bfe7c41f7564d011011fba31df",
+    remote = "https://github.com/eclipse-score/sbom-tool.git",
+)
+
+sbom_ext = use_extension("@score_sbom//:extensions.bzl", "sbom_metadata")
+sbom_ext.track_module(name = "score_ref_int")
+use_repo(sbom_ext, "sbom_metadata")
+
 # Currently required for ifs tooling
 bazel_dep(name = "score_toolchains_qnx", version = "0.0.7")