Update release.yml (#379)

add syft & grype for scanning sbom
theparanoids · Feb 21, 2024 · 772fe54 · 772fe54
1 parent 4cb44ac
commit 772fe54
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -46,9 +46,18 @@ jobs:
             ${{ runner.os }}-go-
 
       - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+
+      - name: Create SBOM
+        uses: anchore/sbom-action@24b0d5238516480139aa8bc6f92eeb7b54a9eb0a # v0.15.5
+        with:
+          format: spdx-json
+          output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@ecfd0e98932e57ea8f68f29c4f418fc41a8194db
         with:
-          cosign-release: 'v2.2.0' # optional
-      - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
+          sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with: