chore: enable SBOMs within GoReleaser (cloudnative-pg#10074)

sxd · mnencia · web-flow · commit a95b4d282b55 · 2026-02-25T22:34:45.000+01:00
Enable GoReleaser SBOM generation for archives and packages (RPM/DEB), producing SPDX JSON SBOMs via syft. The existing `signs` configuration (`artifacts: all`) will automatically sign the generated SBOMs. Closes cloudnative-pg#10073 Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com> Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -124,6 +124,11 @@ snapshot:
 changelog:
   disable: true
 
+sboms:
+  - artifacts: archive
+  - id: packages
+    artifacts: package
+
 signs:
   - artifacts: all
     args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
