From 9cfd39da9d14a3c9087eaa4a89ef8d9a8381e41f Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Wed, 23 Apr 2025 17:07:40 +0200
Subject: [PATCH] feat(ci): add sbom to releases

---
 .github/workflows/release.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 878e066..c0100b9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,16 @@ jobs:
         with:
           go-version: "stable"
 
+      # install syft
+      - name: "install syft"
+        uses: "anchore/sbom-action/download-syft@v0"
+
+      # generate sbom
+      - name: "generate sbom"
+        run: |
+          syft . -o spdx-json=sbom.spdx.json
+          syft . -o cyclonedx-json=sbom.cyclonedx.json
+
       # run goreleaser
       - name: "run goreleaser"
         uses: "goreleaser/goreleaser-action@v6"
@@ -32,3 +42,13 @@ jobs:
           args: "release --clean --config ./.github/.goreleaser.yaml"
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+
+      # upload sbom to release
+      - name: "upload sbom to release"
+        uses: "softprops/action-gh-release@v1"
+        with:
+          files: |
+            sbom.spdx.json
+            sbom.cyclonedx.json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}