Attach an SBOM to a GitHub Release
Generate a CycloneDX SBOM during your GitHub release workflow and publish it as a release asset, giving downstream consumers a verifiable per-version component inventory.
Consumers of your software increasingly expect a per-version SBOM. Attaching one to each GitHub Release gives them a verifiable inventory tied exactly to the artifacts they download. This tutorial generates a CycloneDX SBOM during a release run and publishes it as a release asset.
Prerequisites
- A GitHub repository that publishes tagged releases
- Permission to publish release assets
Steps
1. Trigger the workflow on release
Create a workflow that runs when a release is published, using the release event with types: [published].
2. Scan the tagged commit
The workflow checks out the tagged commit and scans it:
npx @vibgrate/cli scan
This ensures the SBOM reflects exactly what shipped in this version.
3. Export the SBOM
Export the CycloneDX SBOM to a file:
vg sbom export --format cyclonedx --out sbom.cdx.json
With the no-install form, prefix with npx @vibgrate/cli.
4. Upload the SBOM as a release asset
Use the GitHub CLI to attach the file to the release that triggered the run:
gh release upload "$GITHUB_REF_NAME" sbom.cdx.json
A full workflow:
name: Release SBOM
on:
release:
types: [published]
jobs:
sbom:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npx @vibgrate/cli scan
- run: npx @vibgrate/cli sbom export --format cyclonedx --out sbom.cdx.json
- run: gh release upload "$GITHUB_REF_NAME" sbom.cdx.json
env:
GH_TOKEN: ${{ github.token }}
5. Confirm the asset on the release
Open the release page; sbom.cdx.json appears in the Assets list.
Verification
The job exits 0 and the release page lists the SBOM as a downloadable asset tied to the version tag.
Next Steps
Generate the SBOM as part of a broader release pipeline, and push your scan to Vibgrate Cloud for trend tracking across versions.