From 93401eaf9aa011cb53190119597f85936618fd29 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 14 Jan 2022 09:48:11 +0200
Subject: [PATCH] Publish Flux Software Bill of Materials (SBOM) in SPDX format
 - generate SBOM for Flux Go modules with Syft - publish the SBOM SPDX JSON
 files to GitHub releases with GoReleaser

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 .github/workflows/release.yaml | 6 ++++++
 .goreleaser.yml                | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index dd50db0bb0..03a49dfefa 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -66,6 +66,12 @@ jobs:
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Setup Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \
+          sh -s -- -b /usr/local/bin v${SYFT_VERSION}
+        env:
+          SYFT_VERSION: "0.35.1"
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:
diff --git a/.goreleaser.yml b/.goreleaser.yml
index b57017b19d..69de0c5230 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -40,6 +40,8 @@ archives:
     format: zip
     files:
       - none*
+sboms:
+  - artifacts: archive
 brews:
   - name: flux
     tap: