Merge pull request #31 from whiteducksoftware/feat/sbom

feat: add Syft integration for SBOM generation in GoReleaser workflows
whiteducksoftware · Feb 4, 2025 · 5f27910 · 5f27910
2 parents fe7d849 + 3507af2
commit 5f27910
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -24,6 +24,8 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: 'stable'
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@v0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -48,6 +50,8 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: 'stable'
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@v0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:

diff --git a/.goreleaser-windows.yaml b/.goreleaser-windows.yaml
@@ -27,6 +27,10 @@ changelog:
       - "^.github:"
       - "^.vscode:"
 
+sboms:
+  - artifacts: archive
+    cmd: syft
+
 archives:
   - format: zip
     # this name template makes the OS and Arch compatible with the results of `uname`.

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -28,6 +28,10 @@ changelog:
       - "^.github:"
       - "^.vscode:"
 
+sboms:
+  - artifacts: archive
+    cmd: syft
+
 archives:
   - format: tar.gz
     # this name template makes the OS and Arch compatible with the results of `uname`.