Generate SBOM (#1076)

* Generate SBOM

Generate and publish SBOM as part of the release.

* Publish bom.json

* Ignore SBOMs generated during CI

.github/workflows/release.yaml

@@ -56,6 +56,12 @@ jobs:
           registry: public.ecr.aws
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+      - name: Generate SBOM
+        uses: CycloneDX/gh-gomod-generate-sbom@v0.2.0
+        with:
+          json: true
+          output: bom.json
+          version: latest
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:

.gitignore

@@ -24,3 +24,6 @@ thumbs.db
 # test fixtures
 coverage.txt
 integration/testdata/fixtures/
+
+# SBOMs generated during CI
+/bom.json

goreleaser.yml

@@ -27,6 +27,8 @@ builds:
         goarch: 386
 
 release:
+    extra_files:
+      - glob: ./bom.json
     discussion_category_name: Announcements
 
 nfpms: