diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index dbf85ec46eb301fa80c691b5637f235afc4d58f9..7352d1b9f293ba32c50983efb5073cc66a229408 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,16 +7,18 @@ workflow:
   rules:
     - if: $CI_MERGE_REQUEST_IID
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
 
 stages:
   - test
   - release
   - build
+  - deploy
 
 variables:
   harbor_registry: "harbor.gwdg.de"
   harbor_repo: "sub-fe"
-
+  project_name: "repdav"
 
 lint dockerfile:
   stage: test
@@ -40,7 +42,7 @@ lint dockerfile:
 
 release:
   stage: release
-  image: docker.io/node:16.14
+  image: docker.io/node:18.12
   before_script:
     - npm ci --unsafe-perm
   script:
@@ -66,8 +68,49 @@ build container image:
       --build-arg build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
       --build-arg vcs_ref=${CI_COMMIT_SHORT_SHA}
       --build-arg version=${version}
-      --destination $CI_REGISTRY_IMAGE/repdav:$version
-      --destination $harbor_registry/$harbor_repo/repdav:$version
+      --destination $CI_REGISTRY_IMAGE/$project_name:$version
+      --destination $harbor_registry/$harbor_repo/$project_name:$version
   rules:
+    # prevent job creation on release commits to $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE =~ /^chore\(release\):/
+      when: never
     - if: $CI_MERGE_REQUEST_IID
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+
+generate app sbom:
+  stage: deploy
+  image: docker.io/node:18.12
+  before_script:
+    - npm ci --ignore-scripts
+    - npm run build
+  script:
+    - npx cdxgen
+      --type nodejs
+      --required-only
+      --server-url https://deps.sub.uni-goettingen.de
+      --api-key ${DEPS_UPLOAD_TOKEN}
+      --project-name ${project_name}
+      --project-version ${CI_COMMIT_TAG}
+  rules:
+    - if: $CI_COMMIT_TAG
+
+generate container sbom:
+  stage: deploy
+  image: docker.io/alpine:3.16
+  before_script:
+    - apk add curl
+    - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+  script:
+    - syft --output cyclonedx-json --file bom.json
+      $CI_REGISTRY_IMAGE/${project_name}:${CI_COMMIT_TAG}
+    - 'curl -X POST "https://deps.sub.uni-goettingen.de/api/v1/bom"
+      --header "accept: application/json"
+      --header "X-Api-Key: ${DEPS_UPLOAD_TOKEN}"
+      --header "Content-Type: multipart/form-data"
+      --form "autoCreate=true"
+      --form "projectName=${project_name}-container"
+      --form "projectVersion=${CI_COMMIT_TAG}"
+      --form "bom=@bom.json"'
+  rules:
+    - if: $CI_COMMIT_TAG