ci: SBOM for releases

Add source bill of materials (SBOM) generation in goreleaser config.

Author: vlesich-sylabs

.circleci/config.yml

@@ -84,6 +84,9 @@ jobs:
       - run:
           name: Install Cross-Platform Emulators
           command: docker run --privileged --rm tonistiigi/binfmt --install all
+      - run:
+          name: Install syft
+          command: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
       - run:
           name: Test Release
           command: curl -sL https://git.io/goreleaser | bash -s -- --snapshot --skip-publish
@@ -103,6 +106,9 @@ jobs:
       - run:
           name: Authenticate with DockerHub
           command: echo "${DOCKER_PASSWORD}" | docker login docker.io -u "${DOCKER_USERNAME}" --password-stdin
+      - run:
+          name: Install syft
+          command: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
       - run:
           name: Publish Release
           command: curl -sL https://git.io/goreleaser | bash

.goreleaser.yml

@@ -110,3 +110,6 @@ docker_manifests:
   - name_template: sylabsio/scs-build:{{ .Major }}.{{ .Minor }}.{{ .Patch }}
     image_templates: *manifest-images
     skip_push: auto
+
+sboms:
+  - artifacts: archive