workflow

.github/workflows/go-release.yml

@@ -32,25 +32,34 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 #          TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }}
 
-      - id: hello
-        uses: typisttech/tmp-attest-goreleaser-sbom-action/.github/actions/metadata@main
+      - id: upload
+        uses: typisttech/tmp-attest-goreleaser-sbom-action@main
 
-      - run: echo "The time was ${{ steps.hello.outputs.artifacts }}"
-
 #      - uses: actions/attest-build-provenance@v1
 #        with:
 #          subject-path: |
 #            dist/vipdatasync_*.checksums.txt
 #            dist/vipdatasync_*/vipdatasync
 #            dist/vipdatasync_*.tar.gz
 #            dist/**/*.sbom.json
-#
-#      - id: semver
-#        run: echo "semver=${CURRENT_REF_NAME#v}" >> $GITHUB_OUTPUT
-#        env:
-#          CURRENT_REF_NAME: ${{ github.ref_name }}
-#
-#      - uses: actions/attest-sbom@v1
-#        with:
-#          subject-path: "dist/vipdatasync_${{ steps.semver.outputs.semver }}_darwin_amd64.tar.gz"
-#          sbom-path: "dist/vipdatasync_${{ steps.semver.outputs.semver }}_darwin_amd64.tar.gz.sbom.json"
+
+  attest-sbom:
+    runs-on: ubuntu-latest
+    needs: [goreleaser]
+    permissions:
+      id-token: write
+      attestations: write
+
+    strategy:
+      matrix:
+        attestation: ${{ fromJson(needs.goreleaser.steps.upload.outputs.attestations) }}
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.goreleaser.steps.upload.outputs.artifact }}
+
+      - uses: actions/attest-sbom@v1
+        with:
+          subject-path: ${{ matrix.attestation.subject }}
+          sbom-path: ${{ matrix.attestation.sbom }}