chore: add comment about SBOM generation to the release workflow

Author: smlx

.github/workflows/release.yaml

@@ -38,14 +38,21 @@ jobs:
     - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: stable
+    # The setup-buildx-action enables the docker-container driver, which allows
+    # SBOM generation for the resulting container image using the syft
+    # container which is automatically pulled and run during the container
+    # image build. However, because the release process also generates an SBOM
+    # for the binaries attached to the GitHub release (see the "sboms" section
+    # in .gorleaser.yaml), it also needs to install syft into the action
+    # environment.
     - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+    - uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
     - name: Login to GHCR
       uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
     - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
       id: goreleaser
       with: