From 0fac00d726c9f04cad5f284ae1eed1d0e011be07 Mon Sep 17 00:00:00 2001
From: Gianluca Mardente <gianluca.mardente@gmail.com>
Date: Sun, 12 Apr 2026 13:56:56 +0200
Subject: [PATCH] Add SBOM generation workflow

Generate SPDX and CycloneDX SBOMs on every release tag using syft,
and attach them as assets to the GitHub release.
---
 .github/workflows/release-sbom.yml | 34 ++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/release-sbom.yml

diff --git a/.github/workflows/release-sbom.yml b/.github/workflows/release-sbom.yml
new file mode 100644
index 00000000..82a74d0a
--- /dev/null
+++ b/.github/workflows/release-sbom.yml
@@ -0,0 +1,34 @@
+name: release-sbom
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write  # needed to upload assets to the GitHub release
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: 1.26.1
+
+      - name: Install syft
+        # Pin syft to a specific version. Check for new releases at https://github.com/anchore/syft/releases and bump this version periodically.
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.18.0
+
+      - name: Generate SBOMs
+        run: syft . -o spdx-json=sbom.spdx.json -o cyclonedx-json=sbom.cyclonedx.json
+
+      - name: Upload SBOMs to release
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        with:
+          files: |
+            sbom.spdx.json
+            sbom.cyclonedx.json