update: release pipeline

Author: aschmidt75

.github/workflows/release.yml

@@ -32,10 +32,13 @@ jobs:
                 go-version: 1.24
 
         - name: Install dependencies
-          run: go mod download
+          run: |
+            go mod download
+            curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
             
         - name: Run GoReleaser
           uses: goreleaser/goreleaser-action@v6
+          uses: anchore/sbom-action/[email protected] # installs syft
           with:
                 distribution: goreleaser
                 version: "~> v2"

.goreleaser.yml

@@ -22,15 +22,19 @@ checksum:
   algorithm: sha512
 
 sboms:
-  - id: default
-    path: sboms
-    formats:
-      - cyclonedx-json
-      - spdx-json
+  - id: ipvsctl
+    documents:
+      - "${artifact}.sbom.json"
+    cmd: syft
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+    env:
+      - SYFT_FILE_METADATA_CATALOGER_ENABLED=true
+    artifacts: any
+
 
 release:
   extra_files:
-    - glob: sboms/*.json
+    - glob: dist/*.sbom.json
 
 snapshot:
   version_template: "{{ .Tag }}-next"