From 6deb8e87943c9aa165fa6b92747dccf582e2a7d5 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Wed, 14 Jan 2026 17:34:59 +0800
Subject: [PATCH 1/3] chore: test SBOM generation for PR builds

---
 .github/workflows/build.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4b7420d..661c352 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -27,6 +27,7 @@ jobs:
       with:
         path: dist.tar
   build-image:
+    if: github.actor != 'dependabot[bot]'
     permissions:
       contents: read
       packages: write
@@ -45,23 +46,23 @@ jobs:
     - name: untar binaries
       run: tar -xvf dist.tar
     - name: Login to GHCR
-      if: github.actor != 'dependabot[bot]'
       uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Set up Docker Buildx to support SBOM generation
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
     - name: Get Docker metadata
-      if: github.actor != 'dependabot[bot]'
       id: docker_metadata
       uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
         images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
     - name: Build and push ${{ matrix.binary }} container image
-      if: github.actor != 'dependabot[bot]'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
         push: true
+        sbom: true # relies on docker/setup-buildx-action above
         tags: ${{ steps.docker_metadata.outputs.tags }}
         labels: ${{ steps.docker_metadata.outputs.labels }}
         file: Dockerfile

From e5af23959aebc4255e7559fe99494dc7992cb8de Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Wed, 14 Jan 2026 18:03:01 +0800
Subject: [PATCH 2/3] chore: add comment about SBOM generation to the release
 workflow

---
 .github/workflows/release.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 9d26491..ec8039a 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -38,14 +38,21 @@ jobs:
     - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: stable
+    # The setup-buildx-action enables the docker-container driver, which allows
+    # SBOM generation for the resulting container image using the syft
+    # container which is automatically pulled and run during the container
+    # image build. However, because the release process also generates an SBOM
+    # for the binaries attached to the GitHub release (see the "sboms" section
+    # in .gorleaser.yaml), it also needs to install syft into the action
+    # environment.
     - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+    - uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
     - name: Login to GHCR
       uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
     - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       id: goreleaser
       with:

From 267462a69d04d0cf19b4f5a2c943238885c9a4ee Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Wed, 14 Jan 2026 18:06:20 +0800
Subject: [PATCH 3/3] fix: test release workflow changes