From 41da46e2b23238a40669e8be1bcd0cdcdd40cda0 Mon Sep 17 00:00:00 2001
From: Alex Gorevski <agorevski@users.noreply.github.com>
Date: Tue, 17 Feb 2026 15:25:53 -0800
Subject: [PATCH] ci(release): add SBOM generation with syft (#699)

Generate CycloneDX and SPDX Software Bill of Materials during
release builds. SBOMs are included in release artifacts and
covered by SHA256 checksums and cosign signatures.

Addresses item #5 in #618.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 772f641..95b3c0c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -98,10 +98,21 @@ jobs:
               with:
                   path: artifacts
 
+            - name: Install syft
+              run: |
+                  curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+            - name: Generate SBOM (CycloneDX)
+              run: |
+                  syft dir:. --source-name zeroclaw -o cyclonedx-json=artifacts/zeroclaw.cdx.json -o spdx-json=artifacts/zeroclaw.spdx.json
+                  echo "### SBOM Generated" >> "$GITHUB_STEP_SUMMARY"
+                  echo "- CycloneDX: zeroclaw.cdx.json" >> "$GITHUB_STEP_SUMMARY"
+                  echo "- SPDX: zeroclaw.spdx.json" >> "$GITHUB_STEP_SUMMARY"
+
             - name: Generate SHA256 checksums
               run: |
                   cd artifacts
-                  find . -type f \( -name '*.tar.gz' -o -name '*.zip' \) -exec sha256sum {} + | sed 's|  \./[^/]*/|  |' > SHA256SUMS
+                  find . -type f \( -name '*.tar.gz' -o -name '*.zip' -o -name '*.cdx.json' -o -name '*.spdx.json' \) -exec sha256sum {} + | sed 's|  \./[^/]*/|  |' > SHA256SUMS
                   echo "Generated checksums:"
                   cat SHA256SUMS