Update release pipeline in v1.21

Author: ekovalets

.github/workflows/release.yml

@@ -72,6 +72,106 @@ jobs:
           echo '❌ Release failed due to branch mismatch: expected ${{ inputs.version }} to be released from ${{ env.RELEASE_BRANCH }}, got ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY
           exit 1
 
+      # For non-patch releases (A.B.C where C == 0), we expect the release to
+      # be triggered from the A.B maintenance branch or A.x development branch
+      - name: "Fail if non-patch release is created from wrong release branch"
+        if: ${{ endsWith(env.RELEASE_VERSION_WITHOUT_STABILITY, '.0') && env.RELEASE_BRANCH != github.ref_name && env.DEV_BRANCH != github.ref_name }}
+        run: |
+          echo '❌ Release failed due to branch mismatch: expected ${{ inputs.version }} to be released from ${{ env.RELEASE_BRANCH }} or ${{ env.DEV_BRANCH }}, got ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY
+          exit 1
+
+      # If a non-patch release is created from its A.x development branch,
+      # create the A.B maintenance branch from the current one and push it
+      - name: "Create and push new release branch for non-patch release"
+        if: ${{ endsWith(env.RELEASE_VERSION_WITHOUT_STABILITY, '.0') && env.DEV_BRANCH == github.ref_name }}
+        run: |
+          echo '🆕 Creating new release branch ${{ env.RELEASE_BRANCH }} from ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY
+          git checkout -b ${RELEASE_BRANCH}
+          git push origin ${RELEASE_BRANCH}
+
+      #
+      # Preliminary checks done - generate SBOM before tagging
+      #
+      - name: Checkout repository (Base Branch)
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.base.ref || github.ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Setup PHP environment"
+        id: setup-php
+        uses: ./.github/actions/setup
+        with:
+          php-version: ${{ env.PHP_VERSION }}
+          driver-version: ${{ env.DRIVER_VERSION }}
+          working-directory: '.'
+        continue-on-error: true
+
+      - name: "Generate/Update composer.lock"
+        id: composer-lock
+        if: steps.setup-php.outcome == 'success'
+        run: |
+          echo "Resolving dependencies and generating composer.lock..."
+          composer update --lock --no-install --ignore-platform-reqs
+          echo "composer.lock generated with resolved versions"
+        continue-on-error: true
+
+      - name: "Setup SBOM environment"
+        id: setup-sbom
+        if: steps.composer-lock.outcome == 'success'
+        uses: ./.github/actions/setup-sbom
+        continue-on-error: true
+
+      - name: "Generate SBOM"
+        id: generate-sbom
+        if: steps.setup-sbom.outcome == 'success'
+        uses: ./.github/actions/update-sbom
+        with:
+          php-version: ${{ env.PHP_VERSION }}
+          working-directory: '.'
+          output-file: ${{ env.SBOM_FILE }}
+          output-format: 'json'
+        continue-on-error: true
+
+      - name: "Check for SBOM changes"
+        id: sbom_status
+        if: steps.generate-sbom.outcome == 'success'
+        run: |
+          JQ_NORMALIZER='del(.serialNumber) | del(.metadata.timestamp) | walk(if type == "object" and .timestamp then .timestamp = "TIMESTAMP_NORMALIZED" else . end)'
+
+          if ! git show HEAD:${{ env.SBOM_FILE }} > /dev/null 2>&1; then
+            echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+            echo "SBOM file is new"
+            exit 0
+          fi
+
+          if diff -q \
+             <(git show HEAD:${{ env.SBOM_FILE }} | jq -r "$JQ_NORMALIZER") \
+             <(cat ${{ env.SBOM_FILE }} | jq -r "$JQ_NORMALIZER"); then
+            echo "HAS_CHANGES=false" >> $GITHUB_OUTPUT
+            echo "No changes detected in SBOM"
+          else
+            echo "HAS_CHANGES=true" >> $GITHUB_OUTPUT
+            echo "Changes detected in SBOM"
+          fi
+        continue-on-error: true
+
+      - name: "Commit SBOM changes"
+        if: steps.sbom_status.outputs.HAS_CHANGES == 'true'
+        run: |
+          git add ${{ env.SBOM_FILE }}
+          git commit -m "chore: Update SBOM for release ${{ inputs.version }}"
+          git push
+          echo "📦 SBOM updated and committed" >> $GITHUB_STEP_SUMMARY
+        continue-on-error: true
+
+      - name: "Report SBOM status"
+        run: |
+          if [[ "${{ steps.generate-sbom.outcome }}" == "success" ]]; then
+            echo "✅ SBOM generation completed successfully" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⚠️ SBOM generation skipped or failed - continuing with release" >> $GITHUB_STEP_SUMMARY
+          fi
+
       #
       # Preliminary checks done - commence the release process
       #