From 8f0f206f987a9f20d8740ae5ab75346cb21f2c64 Mon Sep 17 00:00:00 2001
From: bupd <bupdprasanth@gmail.com>
Date: Fri, 2 Jan 2026 23:03:39 +0530
Subject: [PATCH 1/2] feat: add sbom generation to goreleaser

---
 .goreleaser.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9c5f3da..548fae4 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -35,6 +35,11 @@ archives:
 checksum:
   name_template: "checksums.txt"
 
+sboms:
+  - artifacts: archive
+    cmd: syft
+    args: ["$artifact", "--output", "spdx-json=$document"]
+
 changelog:
   sort: asc
   filters:

From 136c725355ed087ea2844a013c443ba09fa3c9eb Mon Sep 17 00:00:00 2001
From: bupd <bupdprasanth@gmail.com>
Date: Fri, 2 Jan 2026 23:03:49 +0530
Subject: [PATCH 2/2] ci: add harbor copy, sbom attestation and cosign signing

---
 .github/workflows/ci.yml      | 25 ++++++++++++++++++++---
 .github/workflows/release.yml | 37 ++++++++++++++++++++++++++++++++---
 2 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 05b1dac..840d2fd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  HARBOR_REGISTRY: registry.goharbor.io/bupd
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -46,6 +47,12 @@ jobs:
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
@@ -53,8 +60,12 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+      - name: Login to Harbor
+        uses: docker/login-action@v3
+        with:
+          registry: registry.goharbor.io
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
 
       - name: Extract metadata
         id: meta
@@ -74,8 +85,16 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: mode=max
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Sign image with cosign
+      - name: Sign GHCR image
         run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Copy image to Harbor
+        run: crane copy ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} ${{ env.HARBOR_REGISTRY }}/shitpost:latest
+
+      - name: Sign Harbor image
+        run: cosign sign --yes ${{ env.HARBOR_REGISTRY }}/shitpost:latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d795731..d279df1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  HARBOR_REGISTRY: registry.goharbor.io/bupd
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -24,6 +25,9 @@ jobs:
         with:
           go-version: "1.25"
 
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@v0
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -48,6 +52,12 @@ jobs:
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
@@ -55,8 +65,12 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+      - name: Login to Harbor
+        uses: docker/login-action@v3
+        with:
+          registry: registry.goharbor.io
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
 
       - name: Extract metadata
         id: meta
@@ -78,8 +92,25 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: mode=max
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Sign image with cosign
+      - name: Sign GHCR image
         run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Get version tag
+        id: version
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Copy image to Harbor
+        run: crane copy ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} ${{ env.HARBOR_REGISTRY }}/shitpost:${{ steps.version.outputs.tag }}
+
+      - name: Copy latest to Harbor
+        run: crane copy ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} ${{ env.HARBOR_REGISTRY }}/shitpost:latest
+
+      - name: Sign Harbor images
+        run: |
+          cosign sign --yes ${{ env.HARBOR_REGISTRY }}/shitpost:${{ steps.version.outputs.tag }}
+          cosign sign --yes ${{ env.HARBOR_REGISTRY }}/shitpost:latest