From f54fc89b801f9b4cb48471287541acce9284508d Mon Sep 17 00:00:00 2001
From: Camila Macedo <camilamacedo86@gmail.com>
Date: Wed, 30 Oct 2024 07:15:20 +0000
Subject: [PATCH] Add SBOM generation for Cyber Resilience Act compliance

- Integrated SBOM generation in GoReleaser using Syft to produce CycloneDX SBOMs.
- Updated GitHub Actions workflow to install Syft, enabling automated SBOM creation on release.
- This enhancement is part of ongoing efforts to align with the EU Cyber Resilience Act, ensuring transparency and security in our software supply chain.
---
 .github/workflows/release.yml | 5 ++++-
 build/.goreleaser.yml         | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6d0daa8c957..c6c6747a8af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,7 +11,6 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
 
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -25,6 +24,10 @@ jobs:
           go-version: '~1.22'
       - name: Clean dist directory
         run: rm -rf dist || true
+      - name: Install Syft to generate SBOMs
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b $HOME/bin
+          echo "$HOME/bin" >> $GITHUB_PATH
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
diff --git a/build/.goreleaser.yml b/build/.goreleaser.yml
index e6dce4e10f7..1de47042b54 100644
--- a/build/.goreleaser.yml
+++ b/build/.goreleaser.yml
@@ -68,3 +68,12 @@ release:
   github:
     owner: kubernetes-sigs
     name: kubebuilder
+
+# Add the SBOM configuration at the end to generate SBOM files
+sboms:
+  - id: kubebuilder-sbom
+    artifacts: binary
+    cmd: syft
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+    documents:
+      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.cyclonedx.sbom.json"