From efc145f12e54102cd3b5ca2ab5c5c04f65ce2cfe Mon Sep 17 00:00:00 2001
From: Erich Smith <heartquest@gmail.com>
Date: Wed, 17 Dec 2025 12:45:09 -0500
Subject: [PATCH 1/2] Streamline SBOM generation and cosigning

.goreleaser.yaml:
- Install syft dependency
- Checksums renamed to checksums_linux.txt
- Removed archive SBOM generation (source SBOM generated in workflow instead)

.github/workflows/release.yml:
- goreleaser job generates dashlights_<version>_source.sbom.json from source
- darwin-release uses checksums_darwin.txt (no longer modifies goreleaser output)
- darwin-release signs checksums_darwin.txt with cosign
---
 .github/workflows/release.yml | 53 ++++++++++++++++++++++++++---------
 .goreleaser.yaml              | 13 ++-------
 2 files changed, 43 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8703d54..30d2d67 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -59,7 +59,17 @@ jobs:
         run: cd src && go generate
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@43a17d6e7add2b5535efe4dcae9952337c479a93 # v0.20.11
+
+      - name: Generate Source SBOM
+        run: |
+          VERSION_NUM=${{ needs.check-release.outputs.tag_name }}
+          VERSION_NUM=${VERSION_NUM#v}
+          # Generate SBOM from source (includes go.mod dependencies)
+          syft dir:. --output "cyclonedx-json=dashlights_${VERSION_NUM}_source.sbom.json"
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
@@ -70,6 +80,14 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Upload Source SBOM
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          VERSION=${{ needs.check-release.outputs.tag_name }}
+          VERSION_NUM=${VERSION#v}
+          gh release upload "$VERSION" "dashlights_${VERSION_NUM}_source.sbom.json" --clobber
+
   # Build, sign, and notarize macOS binaries separately
   darwin-release:
     needs: [check-release, goreleaser]
@@ -92,6 +110,9 @@ jobs:
       - name: Generate repository URL
         run: cd src && go generate
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+
       - name: Import Code Signing Certificate
         env:
           APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
@@ -213,8 +234,20 @@ jobs:
         run: |
           VERSION_NUM=${VERSION#v}
           cd dist
-          shasum -a 256 dashlights_${VERSION_NUM}_Darwin_*.zip > darwin_checksums.txt
-          cat darwin_checksums.txt
+          shasum -a 256 dashlights_${VERSION_NUM}_Darwin_*.zip > checksums_darwin.txt
+          cat checksums_darwin.txt
+
+      - name: Sign Darwin Checksums with Cosign
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cd dist
+          # Keyless signing using GitHub OIDC identity
+          cosign sign-blob \
+            --output-certificate=checksums_darwin.txt.pem \
+            --output-signature=checksums_darwin.txt.sig \
+            checksums_darwin.txt \
+            --yes
 
       - name: Upload Darwin Assets to Release
         env:
@@ -222,21 +255,15 @@ jobs:
         run: |
           VERSION_NUM=${VERSION#v}
 
-          # Upload archives
+          # Upload archives, checksums, and signature
           gh release upload "$VERSION" \
             dist/dashlights_${VERSION_NUM}_Darwin_x86_64.zip \
             dist/dashlights_${VERSION_NUM}_Darwin_arm64.zip \
+            dist/checksums_darwin.txt \
+            dist/checksums_darwin.txt.sig \
+            dist/checksums_darwin.txt.pem \
             --clobber
 
-          # Append Darwin checksums to existing checksums.txt
-          gh release download "$VERSION" -p checksums.txt -O dist/checksums.txt || true
-          if [ -f dist/checksums.txt ]; then
-            cat dist/darwin_checksums.txt >> dist/checksums.txt
-          else
-            cp dist/darwin_checksums.txt dist/checksums.txt
-          fi
-          gh release upload "$VERSION" dist/checksums.txt --clobber
-
       - name: Cleanup
         if: always()
         run: |
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index e14573c..1d6be5d 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -47,7 +47,7 @@ archives:
       - README.md
 
 checksum:
-  name_template: 'checksums.txt'
+  name_template: 'checksums_linux.txt'
 
 snapshot:
   version_template: "{{ incpatch .Version }}-next"
@@ -85,13 +85,6 @@ signs:
     artifacts: checksum
     output: true
 
-sboms:
-  - id: default
-    artifacts: archive
-    documents:
-      - "${artifact}.sbom.json"
-    args:
-      - "$artifact"
-      - "--output"
-      - "cyclonedx-json=$document"
+# Source SBOM is generated manually in release.yml before goreleaser runs
+# This provides actual dependency information from go.mod rather than empty archive scans
 

From 4c4ecb565ae85b64a1d9bc759bd75af6a29e81cf Mon Sep 17 00:00:00 2001
From: Erich Smith <heartquest@gmail.com>
Date: Wed, 17 Dec 2025 12:54:32 -0500
Subject: [PATCH 2/2] Update CHANGELOG for v1.0.7-slsa

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca246ea..e013e52 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.7-slsa] - 2025-12-17
+
+### Changed
+- Streamlined SBOM generation and cosigning process for improved efficiency
+
+
 ## [1.0.7] - 2025-12-17
 
 ### Changed