From 11296cd94f05e3decba7a7bfb4a8dcf126008b44 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 14 Jan 2022 09:48:11 +0200
Subject: [PATCH] Publish Flux Software Bill of Materials (SBOM) in SPDX format
 - generate SBOM for Flux Go modules with Syft - publish the SBOM SPDX JSON
 files to GitHub releases with GoReleaser

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 .github/workflows/release.yaml | 4 ++++
 .goreleaser.yml                | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index dd50db0b..ba8f2847 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -66,6 +66,10 @@ jobs:
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Setup Syft
+        uses: fluxcd/pkg//actions/sbom@main
+        with:
+          version: "v0.35.1"
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index b57017b1..69de0c52 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -40,6 +40,8 @@ archives:
     format: zip
     files:
       - none*
+sboms:
+  - artifacts: archive
 brews:
   - name: flux
     tap: