Summary
The roadmap (todo.md Tier 3) calls for a Software Bill of Materials (SBOM) attached to every GitHub release. This is an enterprise / compliance gate: many security-conscious teams require an SBOM before approving a tool for internal use.
What to do
GoReleaser supports SBOM generation natively via syft. Enable it in .goreleaser.yaml:
sboms:
- artifacts: archive # one SBOM per platform archive
documents:
- "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom.json"
args: ["$artifact", "--output", "cyclonedx-json=$document"]Or for a single SBOM covering the whole release:
sboms:
- artifacts: binary
documents:
- "{{ .ProjectName }}_{{ .Version }}.sbom.json"Steps:
- Install
syft in the release.yml GitHub Actions workflow before running GoReleaser.
- Add the
sboms block to .goreleaser.yaml.
- Verify the SBOM file appears in
make release-dryrun output.
- Optionally attach a
CycloneDX SBOM and an SPDX-JSON SBOM for maximum tool compatibility.
Acceptance criteria
make release-dryrun produces at least one *.sbom.json artefact.- The SBOM is attached to the GitHub release alongside the platform binaries.
make lint test passes (no Go code changes needed).
References
Summary
The roadmap (
todo.mdTier 3) calls for a Software Bill of Materials (SBOM) attached to every GitHub release. This is an enterprise / compliance gate: many security-conscious teams require an SBOM before approving a tool for internal use.What to do
GoReleaser supports SBOM generation natively via
syft. Enable it in.goreleaser.yaml:Or for a single SBOM covering the whole release:
Steps:
syftin therelease.ymlGitHub Actions workflow before running GoReleaser.sbomsblock to.goreleaser.yaml.make release-dryrunoutput.CycloneDXSBOM and anSPDX-JSONSBOM for maximum tool compatibility.Acceptance criteria
make release-dryrunproduces at least one*.sbom.jsonartefact.make lint testpasses (no Go code changes needed).References