try to publish sbom with next release

.drone.yml

@@ -30,6 +30,7 @@ steps:
   - name: build
     image: goreleaser/goreleaser
     commands:
+      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v0.64.0
       - goreleaser build --snapshot
     when:
       event:
@@ -59,6 +60,7 @@ steps:
       GPG_PRIVATE_KEY_BASE64:
         from_secret: GPG_PRIVATE_KEY_BASE64
     commands:
+      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v0.64.0
       - apk add gpg-agent
       - gpg-agent --daemon --default-cache-ttl 7200
       - echo $GPG_PRIVATE_KEY_BASE64 | base64 -d | gpg --import --batch --no-tty

.github/workflows/release.yml

@@ -18,26 +18,25 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
+      - name: Checkout
         uses: actions/checkout@v3
-      -
-        name: Unshallow
+      - name: Unshallow
         run: git fetch --prune --unshallow
-      -
-        name: Set up Go
+      - name: Set up Go
         uses: actions/setup-go@v3
         with:
           go-version: 1.18
-      -
-        name: Import GPG key
+      - name: Import GPG key
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@v5.2.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
-      -
-        name: Run GoReleaser
+      - name: setup-syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \
+          sh -s -- -b /usr/local/bin v0.64.0
+      - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4.1.0
         with:
           version: latest

.goreleaser.yml

@@ -41,6 +41,8 @@ checksum:
       name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
   name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
   algorithm: sha256
+sboms:
+  - artifacts: archive
 signs:
   - artifacts: checksum
     args: