Add SBOM generation workflow

gianlucam76 · gianlucam76 · commit 0fac00d726c9 · 2026-04-12T13:57:30.000+02:00
Generate SPDX and CycloneDX SBOMs on every release tag using syft,
and attach them as assets to the GitHub release.
diff --git a/.github/workflows/release-sbom.yml b/.github/workflows/release-sbom.yml
@@ -0,0 +1,34 @@
+name: release-sbom
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write  # needed to upload assets to the GitHub release
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: 1.26.1
+
+      - name: Install syft
+        # Pin syft to a specific version. Check for new releases at https://github.com/anchore/syft/releases and bump this version periodically.
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.18.0
+
+      - name: Generate SBOMs
+        run: syft . -o spdx-json=sbom.spdx.json -o cyclonedx-json=sbom.cyclonedx.json
+
+      - name: Upload SBOMs to release
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        with:
+          files: |
+            sbom.spdx.json
+            sbom.cyclonedx.json
