diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 95f58908..61748e41 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+
       - name: Download GoReleaser
         run: go install github.com/goreleaser/goreleaser@v1.23.0
 
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 61e29ec8..4c79c450 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -65,3 +65,12 @@ docker_signs:
       - "sign"
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
+sboms:
+  - id: archive
+    cmd: syft
+    artifacts: archive
+    args: ["$artifact", "--output", "spdx-json=$document"]
+  - id: source
+    cmd: syft
+    artifacts: source
+    args: ["$artifact", "--output", "spdx-json=$document"]