From c6610f9adbe9ad83a8aeb06a4136ec736e054a12 Mon Sep 17 00:00:00 2001
From: Allan Kimmer Jensen <hi@akj.io>
Date: Mon, 15 Jun 2026 14:32:36 +0200
Subject: [PATCH] feat(release): attach a CycloneDX SBOM to the GitHub release

Generate a production SBOM with the native `pnpm sbom` command (pnpm 11)
and upload it as a release asset, so each tag ships a Bill of Materials
for the published dependency tree. Prod-only matches what npm publishes;
the file is gitignored and excluded from the npm tarball by `files`.
---
 .github/workflows/release.yml | 5 ++++-
 .gitignore                    | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a022b3b..99c49c2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,6 +30,9 @@ jobs:
       - run: pnpm run build
       - run: pnpm test
 
+      - name: Generate SBOM
+        run: pnpm sbom --sbom-format cyclonedx --prod > sbom.cdx.json
+
       - name: Generate changelog
         id: changelog
         run: |
@@ -42,7 +45,7 @@ jobs:
       - name: Create GitHub release
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh release create "${{ github.ref_name }}" --notes "${{ steps.changelog.outputs.notes }}"
+        run: gh release create "${{ github.ref_name }}" --notes "${{ steps.changelog.outputs.notes }}" sbom.cdx.json
 
       - name: Publish to npm
         run: pnpm publish --no-git-checks --provenance --access public
diff --git a/.gitignore b/.gitignore
index 62ccde4..1000111 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,6 @@ node_modules/
 dist/
 *.tsbuildinfo
 .DS_Store
+
+# SBOM generated during release
+sbom.cdx.json