feat: add SBOM generation and build provenance attestation to release workflows (#69)

* feat: add SBOM generation and build provenance attestation to release workflows * docs: update release notes template with SBOM unreleased entry
2026-04-06 05:07:16 +02:00 · 2026-04-02 10:44:13 -07:00 · 2026-04-02 10:44:13 -07:00 · 75184a5967
commit 75184a5967
parent 6d1d5a1822
5 changed files with 90 additions and 5 deletions
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@ -56,6 +56,24 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v5.0.0

+      - name: Generate source SBOM (SPDX)
+        uses: anchore/sbom-action@v0.24.0
+        with:
+          path: .
+          format: spdx-json
+          output-file: sbom-source.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate source SBOM (CycloneDX)
+        uses: anchore/sbom-action@v0.24.0
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: sbom-source.cyclonedx.json
+          upload-artifact: false
+          upload-release-assets: false
+
      - name: Prepare release notes
        id: notes
        shell: bash
@ -84,5 +102,8 @@ jobs:
          tag_name: ${{ steps.notes.outputs.version }}
          name: ${{ steps.notes.outputs.version }}
          body_path: ${{ steps.notes.outputs.notes_file }}
+          files: |
+            sbom-source.spdx.json
+            sbom-source.cyclonedx.json
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}