fix(ci): generate sbom after release

.github/workflows/release.yml

@@ -28,12 +28,6 @@ jobs:
       - name: "install syft"
         uses: "anchore/sbom-action/download-syft@v0"
 
-      # generate sbom
-      - name: "generate sbom"
-        run: |
-          syft . -o spdx-json=sbom.spdx.json
-          syft . -o cyclonedx-json=sbom.cyclonedx.json
-
       # run goreleaser
       - name: "run goreleaser"
         uses: "goreleaser/goreleaser-action@v6"
@@ -43,6 +37,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
 
+      # generate sbom
+      - name: "generate sbom"
+        run: |
+          syft go.mod -o spdx-json=sbom.spdx.json
+          syft go.mod -o cyclonedx-json=sbom.cyclonedx.json
+
       # upload sbom to release
       - name: "upload sbom to release"
         uses: "softprops/action-gh-release@v1"