samply · alexanderkiel · Aug 6, 2025 · Aug 6, 2025
@@ -93,20 +93,43 @@ jobs:
         REF_NAME: ${{ github.ref_name }}
       run: echo "VERSION=${REF_NAME#v}" >> "$GITHUB_ENV"
 
+    - name: Set binary filename for Windows
+      if: matrix.os == 'windows'
+      run: echo "BINARY_FILENAME=blazectl.exe" >> "$GITHUB_ENV"
+
+    - name: Set binary filename for other OS
+      if: matrix.os != 'windows'
+      run: echo "BINARY_FILENAME=blazectl" >> "$GITHUB_ENV"
+
     - name: Build
       env:
         CGO_ENABLED: '0'
         GOOS: ${{ matrix.os }}
         GOARCH: ${{ matrix.arch }}
       run: go build .
 
+    - name: Generate SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        syft-version: 'v1.29.0'
+        artifact-name: blazectl-${{ matrix.os }}-${{ matrix.arch }}-sbom.spdx.json
+        output-file: blazectl-${{ matrix.os }}-${{ matrix.arch }}-sbom.spdx.json
+        upload-artifact: false
+        file: ${{ env.BINARY_FILENAME }}
+
     - name: Generate Artifact Attestation
       uses: actions/attest-build-provenance@v2
       with:
-        subject-path: blazectl*
+        subject-path: ${{ env.BINARY_FILENAME }}
+
+    - name: Generate SBOM Attestation
+      uses: actions/attest-sbom@v2
+      with:
+        subject-path: ${{ env.BINARY_FILENAME }}
+        sbom-path: blazectl-${{ matrix.os }}-${{ matrix.arch }}-sbom.spdx.json
 
     - name: Create Archive (Linux / macOS)
-      if: matrix.os == 'linux' || matrix.os == 'darwin'
+      if: matrix.os != 'windows'
       env:
         OS: ${{ matrix.os }}
         ARCH: ${{ matrix.arch }}

@@ -1,5 +1,6 @@
 [![Build](https://github.com/samply/blazectl/actions/workflows/build.yml/badge.svg)](https://github.com/samply/blazectl/actions/workflows/build.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/samply/blazectl)](https://goreportcard.com/report/github.com/samply/blazectl)
+[![SLSA 2](https://slsa.dev/images/gh-badge-level2.svg)](https://slsa.dev)
 
 # blazectl
 
@@ -193,6 +194,16 @@ gh attestation verify --repo samply/blazectl blazectl
 
 The `install.sh` script already verifies the attestations.
 
+### SBOM Viewer
+
+The SBOM can be generated by the GitHub CLI:
+
+```sh
+gh attestation verify --repo samply/blazectl blazectl --predicate-type "https://spdx.dev/Document/v2.3" --format json  --jq '.[].verificationResult.statement.predicate' > blazectl-sbom.json
+```
+
+The resulting SBOM can be viewed at a [Web Viewer provided by SUSE][12].
+
 ## Similar Software
 
 * [VonkLoader][1] - can also upload transaction bundles but needs .NET SDK
@@ -219,3 +230,4 @@ Unless required by applicable law or agreed to in writing, software distributed
 [9]: <https://github.com/samply/blaze/blob/main/docs/cql-queries/blazectl.md>
 [10]: <https://github.com/cli/cli>
 [11]: <https://docs.github.com/en/actions/concepts/security/artifact-attestations>
+[12]: <https://apps.rancher.io/sbom-viewer>
@@ -32,7 +32,7 @@ rm "$archive_filename"
 if command -v gh > /dev/null
 then
   echo "Verify blazectl binary..."
-  gh attestation verify --repo "$repo" blazectl
+  gh attestation verify --repo "$repo" --predicate-type https://spdx.dev/Document/v2.3 blazectl
 else
   echo "Skip blazectl binary verification. Please install the GitHub CLI tool from https://github.com/cli/cli."
 fi