chore: test SBOM generation for PR builds

smlx · smlx · commit 9983f5a8aa80 · 2026-01-14T17:34:59.000+08:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -57,6 +57,7 @@ jobs:
       uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
+    - uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
     - name: Build and push ${{ matrix.binary }} container image
       if: github.actor != 'dependabot[bot]'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
@@ -69,6 +70,7 @@ jobs:
           BINARY=${{ matrix.binary }}
           TARGETPLATFORM=${{ matrix.binary }}_linux_amd64_v1
         context: dist
+        sbom: true
   check-tag:
     permissions:
       contents: read
