Publish Flux Software Bill of Materials (SBOM) in SPDX format

- generate SBOM for Flux Go modules with Syft - publish the SBOM SPDX JSON files to GitHub releases with GoReleaser Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

Publish Flux Software Bill of Materials (SBOM) in SPDX format
11296cd9 · Stefan Prodan · 677dca0b · 11296cd9 · 11296cd9
Unverified Commit 11296cd9 authored 3 years ago by Stefan Prodan
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -66,6 +66,10 @@ jobs:
      - name: Archive the OpenAPI JSON schemas
        run: |
          tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Setup Syft
+        uses: fluxcd/pkg//actions/sbom@main
+        with:
+          version: "v0.35.1"
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:

--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -40,6 +40,8 @@ archives:
    format: zip
    files:
      - none*
+sboms:
+  - artifacts: archive
 brews:
  - name: flux
    tap: