Enhance workflow to include SBOM generation and upload

Added steps to generate and upload SBOM using CycloneDX.

Author: swmal

.github/workflows/Build-Release.yml

@@ -1,6 +1,3 @@
-# This workflow will build, test, sign and pack the release branches for EPPlus.
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
-
 name: Build Release Branches
 
 on:
@@ -21,6 +18,20 @@ jobs:
         dotnet-version: '9.0.x'
     - name: Restore dependencies
       run: dotnet restore ./src/EPPlus.sln
+
+    # --- SBOM ---
+    - name: Install CycloneDX
+      run: dotnet tool install --global CycloneDX
+    - name: Read version from csproj
+      id: read_version
+      run: |
+        $version = ([xml](Get-Content ./src/EPPlus/EPPlus.csproj)).Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
+        echo "VERSION=$version" >> $env:GITHUB_ENV
+      shell: pwsh
+    - name: Generate SBOM
+      run: dotnet CycloneDX ./src/EPPlus/EPPlus.csproj -o ./sbom -F Json -st Library -sv ${{ env.VERSION }} -fn epplus-${{ env.VERSION }}.sbom.json -imp ./src/EPPlus/sbom-metadata-template.xml
+    # --- SBOM ---
+
     - name: Build
       run: dotnet build ./src/EPPlus.sln --no-restore --configuration Release
     - name: Test
@@ -70,3 +81,21 @@ jobs:
       with:
           name: signed-nuget-package
           path: ./output/*.nupkg
+    # --- SBOM ---
+    - name: Upload SBOM to Azure Blob Storage
+      run: |
+        az storage blob upload `
+          --account-name eppluswebprod `
+          --container-name sbom `
+          --name epplus-${{ env.VERSION }}.sbom.json `
+          --file ./sbom/epplus-${{ env.VERSION }}.sbom.json `
+          --auth-mode login `
+          --overwrite
+      shell: pwsh
+
+    - name: Upload SBOM as artifact
+      uses: actions/upload-artifact@v4
+      with:
+          name: sbom
+          path: ./sbom/epplus-${{ env.VERSION }}.sbom.json
+    # --- SBOM ---