From a19d2e16cb189e23a98596a3c3f0945c258b6e8c Mon Sep 17 00:00:00 2001
From: Gaius <gaius.qi@gmail.com>
Date: Thu, 17 Oct 2024 21:15:09 +0800
Subject: [PATCH] chore: generate SBOM for release artifacts

Signed-off-by: Gaius <gaius.qi@gmail.com>
---
 .github/workflows/docker.yml | 8 ++++++++
 .goreleaser.yml              | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 2d93d280690..9cb10e57905 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -126,6 +126,14 @@ jobs:
         env:
           COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
 
+      - uses: anchore/sbom-action@v0
+        with:
+          image: dragonflyoss/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ env.IMAGE_REPOSITORY }}/${{ matrix.module }}:${{ steps.get_version.outputs.VERSION }}
+
       - name: Move cache
         run: |
           rm -rf /tmp/.buildx-cache
diff --git a/.goreleaser.yml b/.goreleaser.yml
index e38fdaa4986..9e0d9ec005f 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -8,6 +8,9 @@ before:
     - make build-manager-console
     - go mod download
 
+sboms:
+  - artifacts: binary
+
 builds:
   - main: ./cmd/dfget
     id: dfget