From 4460300a9ebcf292d1e791950a1b8b39253110e9 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Fri, 13 Mar 2026 08:07:35 +0900
Subject: [PATCH 1/4] fix(ci): remove unverified syft binary download

---
 .github/workflows/sbom.yml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 73330c5c..91d0b0c1 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -38,14 +38,12 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Install Syft
-        run: |
-          curl -sSfL -o "$RUNNER_TEMP/syft.tar.gz" "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
-          tar -xzf "$RUNNER_TEMP/syft.tar.gz" -C "$RUNNER_TEMP" syft
-
       - name: Generate CycloneDX SBOM
-        run: |
-          "$RUNNER_TEMP/syft" dir:. -o cyclonedx-json=bandscope-sbom.cdx.json
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: bandscope-sbom.cdx.json
 
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0

From a41935b27a64cfe19bbff50a9bdd2013524367e3 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 21:22:46 +0900
Subject: [PATCH 2/4] fix(ci): disable implicit artifact uploads in sbom action

---
 .github/workflows/sbom.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 91d0b0c1..cb536e0f 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -44,6 +44,8 @@ jobs:
           path: .
           format: cyclonedx-json
           output-file: bandscope-sbom.cdx.json
+          upload-artifact: false
+          upload-release-assets: false
 
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0

From f77f42762cf352d0e71afde11ed9b1091879b3a5 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 22:05:34 +0900
Subject: [PATCH 3/4] chore: trigger CodeRabbit review


From 6f706c5d83a025de605df3d628553d3bbb0c8c94 Mon Sep 17 00:00:00 2001
From: Seongho Bae <me@seonghobae.me>
Date: Wed, 25 Mar 2026 22:24:46 +0900
Subject: [PATCH 4/4] trigger review