feat: goreleaser native sboms

Author: smlx

.github/workflows/release.yaml

@@ -45,15 +45,6 @@ jobs:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Export SBOM for binary in SPDX JSON format
-      # https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28
-      run: |
-        gh api \
-          -H "Accept: application/vnd.github+json" \
-          -H "X-GitHub-Api-Version: 2022-11-28" \
-          /repos/${{ github.repository }}/dependency-graph/sbom > sbom.spdx.json
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       id: goreleaser
       with:

.gitignore

@@ -1,3 +1,2 @@
 /dist
 /cover.out
-/sbom.spdx.json

.goreleaser.yaml

@@ -24,6 +24,14 @@ builds:
   binary: another-binary
   main: ./cmd/another-binary
 
+checksum:
+  name_template: checksums.txt
+
+sboms:
+- ids:
+  - go-cli-github
+  - another-binary
+
 changelog:
   use: github-native
 
@@ -48,11 +56,3 @@ dockers_v2:
   - latest
   build_args:
     BINARY: another-binary
-
-release:
-  extra_files:
-  - glob: ./sbom.spdx.json
-    name_template: "{{ .ProjectName }}.v{{ .Version }}.sbom.spdx.json"
-
-checksum:
-  name_template: checksums.txt