From d0dc72b75f89cc19dde5bbe537bcd0452c46e1f7 Mon Sep 17 00:00:00 2001
From: Yaxhveer <yaxhcod@gmail.com>
Date: Mon, 20 May 2024 21:18:04 +0530
Subject: [PATCH 1/3] corrected sbom check

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
---
 .github/workflows/release.yml | 3 +++
 .goreleaser.yaml              | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 95f58908..4543f3a0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
+      - name: Install syft
+      - uses: anchore/sbom-action/download-syft@v0
+
       - name: Download GoReleaser
         run: go install github.com/goreleaser/goreleaser@v1.23.0
 
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 61e29ec8..35f60178 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -65,3 +65,8 @@ docker_signs:
       - "sign"
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
+sboms:
+  - id: archive
+    cmd: syft
+    args: ["$artifact", "--output", "spdx-json=$document"]
+    artifacts: archive

From 624025444eab9cc8b1be27adfd636dd319901425 Mon Sep 17 00:00:00 2001
From: Yaxhveer <yaxhcod@gmail.com>
Date: Mon, 20 May 2024 22:40:43 +0530
Subject: [PATCH 2/3] updated

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
---
 .github/workflows/release.yml | 2 +-
 .goreleaser.yaml              | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4543f3a0..a131acf2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -122,7 +122,7 @@ jobs:
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Install syft
-      - uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@v0
 
       - name: Download GoReleaser
         run: go install github.com/goreleaser/goreleaser@v1.23.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 35f60178..4c79c450 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -68,5 +68,9 @@ docker_signs:
 sboms:
   - id: archive
     cmd: syft
-    args: ["$artifact", "--output", "spdx-json=$document"]
     artifacts: archive
+    args: ["$artifact", "--output", "spdx-json=$document"]
+  - id: source
+    cmd: syft
+    artifacts: source
+    args: ["$artifact", "--output", "spdx-json=$document"]

From 892e4e7424565d597f8ec068ecdcf22258fd6cb7 Mon Sep 17 00:00:00 2001
From: Yaxhveer <yaxhcod@gmail.com>
Date: Wed, 22 May 2024 10:34:48 +0530
Subject: [PATCH 3/3] updated syft action version

Signed-off-by: Yaxhveer <yaxhcod@gmail.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a131acf2..61748e41 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -122,7 +122,7 @@ jobs:
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
 
       - name: Download GoReleaser
         run: go install github.com/goreleaser/goreleaser@v1.23.0