diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index dd50db0bb07ff46c851b50467c309bc89e2c3279..ba8f28471f13c0e23952319371125a3cb4f5b8de 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -66,6 +66,10 @@ jobs:
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Setup Syft
+        uses: fluxcd/pkg//actions/sbom@main
+        with:
+          version: "v0.35.1"
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index b57017b19de61d2cb162bd4d4c6098112af6d249..69de0c523093b6d94b7120da898d22cd13a259ed 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -40,6 +40,8 @@ archives:
     format: zip
     files:
       - none*
+sboms:
+  - artifacts: archive
 brews:
   - name: flux
     tap: