feat: add Syft integration for SBOM generation in GoReleaser workflows

whiteducksoftware · Jan 30, 2025 · 3507af2 · 3507af2
1 parent fe7d849
commit 3507af2
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -24,6 +24,8 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: 'stable'
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@v0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -48,6 +50,8 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: 'stable'
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@v0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:

diff --git a/.goreleaser-windows.yaml b/.goreleaser-windows.yaml
@@ -27,6 +27,10 @@ changelog:
       - "^.github:"
       - "^.vscode:"
 
+sboms:
+  - artifacts: archive
+    cmd: syft
+
 archives:
   - format: zip
     # this name template makes the OS and Arch compatible with the results of `uname`.

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -28,6 +28,10 @@ changelog:
       - "^.github:"
       - "^.vscode:"
 
+sboms:
+  - artifacts: archive
+    cmd: syft
+
 archives:
   - format: tar.gz
     # this name template makes the OS and Arch compatible with the results of `uname`.