bupd · bupd · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  HARBOR_REGISTRY: registry.goharbor.io/bupd
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -46,15 +47,25 @@ jobs:
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+      - name: Login to Harbor
+        uses: docker/login-action@v3
+        with:
+          registry: registry.goharbor.io
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
 
       - name: Extract metadata
         id: meta
@@ -74,8 +85,16 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: mode=max
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Sign image with cosign
+      - name: Sign GHCR image
         run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Copy image to Harbor
+        run: crane copy ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} ${{ env.HARBOR_REGISTRY }}/shitpost:latest
+
+      - name: Sign Harbor image
+        run: cosign sign --yes ${{ env.HARBOR_REGISTRY }}/shitpost:latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  HARBOR_REGISTRY: registry.goharbor.io/bupd
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -24,6 +25,9 @@ jobs:
         with:
           go-version: "1.25"
 
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@v0
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -48,15 +52,25 @@ jobs:
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+      - name: Login to Harbor
+        uses: docker/login-action@v3
+        with:
+          registry: registry.goharbor.io
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
 
       - name: Extract metadata
         id: meta
@@ -78,8 +92,25 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: mode=max
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Sign image with cosign
+      - name: Sign GHCR image
         run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Get version tag
+        id: version
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Copy image to Harbor
+        run: crane copy ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} ${{ env.HARBOR_REGISTRY }}/shitpost:${{ steps.version.outputs.tag }}
+
+      - name: Copy latest to Harbor
+        run: crane copy ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} ${{ env.HARBOR_REGISTRY }}/shitpost:latest
+
+      - name: Sign Harbor images
+        run: |
+          cosign sign --yes ${{ env.HARBOR_REGISTRY }}/shitpost:${{ steps.version.outputs.tag }}
+          cosign sign --yes ${{ env.HARBOR_REGISTRY }}/shitpost:latest
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -35,6 +35,11 @@ archives:
 checksum:
   name_template: "checksums.txt"
 
+sboms:
+  - artifacts: archive
+    cmd: syft
+    args: ["$artifact", "--output", "spdx-json=$document"]
+
 changelog:
   sort: asc
   filters: