From bb7cb34b0a4ce53cbbf548ea41cd8216e37a2c9d Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 21 Nov 2025 15:55:05 +0800
Subject: [PATCH] feat: goreleaser native sboms

---
 .github/workflows/release.yaml |  9 ---------
 .gitignore                     |  1 -
 .goreleaser.yaml               | 16 ++++++++--------
 3 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 9d4eb70..99bdf67 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -45,15 +45,6 @@ jobs:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Export SBOM for binary in SPDX JSON format
-      # https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28
-      run: |
-        gh api \
-          -H "Accept: application/vnd.github+json" \
-          -H "X-GitHub-Api-Version: 2022-11-28" \
-          /repos/${{ github.repository }}/dependency-graph/sbom > sbom.spdx.json
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       id: goreleaser
       with:
diff --git a/.gitignore b/.gitignore
index 6ee2014..dc0c8d2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,2 @@
 /dist
 /cover.out
-/sbom.spdx.json
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index a3c8594..e2ff600 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -24,6 +24,14 @@ builds:
   binary: another-binary
   main: ./cmd/another-binary
 
+checksum:
+  name_template: checksums.txt
+
+sboms:
+- ids:
+  - go-cli-github
+  - another-binary
+
 changelog:
   use: github-native
 
@@ -48,11 +56,3 @@ dockers_v2:
   - latest
   build_args:
     BINARY: another-binary
-
-release:
-  extra_files:
-  - glob: ./sbom.spdx.json
-    name_template: "{{ .ProjectName }}.v{{ .Version }}.sbom.spdx.json"
-
-checksum:
-  name_template: checksums.txt