chore: test SBOM generation for PR builds

smlx · smlx · commit c88cb4d86efc · 2026-01-14T17:43:31.000+08:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -27,6 +27,7 @@ jobs:
       with:
         path: dist.tar
   build-image:
+    if: github.actor != 'dependabot[bot]'
     permissions:
       contents: read
       packages: write
@@ -45,23 +46,23 @@ jobs:
     - name: untar binaries
       run: tar -xvf dist.tar
     - name: Login to GHCR
-      if: github.actor != 'dependabot[bot]'
       uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Set up Docker Buildx to support SBOM generation
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
     - name: Get Docker metadata
-      if: github.actor != 'dependabot[bot]'
       id: docker_metadata
       uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
     - name: Build and push ${{ matrix.binary }} container image
-      if: github.actor != 'dependabot[bot]'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
         push: true
+        sbom: true
         tags: ${{ steps.docker_metadata.outputs.tags }}
         labels: ${{ steps.docker_metadata.outputs.labels }}
         file: Dockerfile
