Merge pull request kubernetes-sigs#4248 from camilamacedo86/sboms

k8s-ci-robot · web-flow · commit fd868389a5ab · 2024-10-31T08:09:26.000Z
🌱 Add SBOM generation for Cyber Resilience Act compliance
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,6 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
 
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -25,6 +24,10 @@ jobs:
           go-version: '~1.22'
       - name: Clean dist directory
         run: rm -rf dist || true
+      - name: Install Syft to generate SBOMs
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b $HOME/bin
+          echo "$HOME/bin" >> $GITHUB_PATH
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
diff --git a/build/.goreleaser.yml b/build/.goreleaser.yml
@@ -68,3 +68,12 @@ release:
   github:
     owner: kubernetes-sigs
     name: kubebuilder
+
+# Add the SBOM configuration at the end to generate SBOM files
+sboms:
+  - id: kubebuilder-sbom
+    artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+    documents:
+      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.cyclonedx.sbom.json"
