From c21f1ca14e6f8e5ef1dd2368b8a5835efe4290f6 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 25 Nov 2025 16:21:52 +0800
Subject: [PATCH 1/2] fix: switch back to archive sboms

---
 .goreleaser.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 63c7d7c..62be159 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -27,11 +27,8 @@ builds:
 checksum:
   name_template: checksums.txt
 
-source:
-  enabled: true
-
 sboms:
-- artifacts: source
+- artifacts: archive
 
 changelog:
   use: github-native

From 4f31aa8efc57c2b958ec84e3912c147374fc8959 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 25 Nov 2025 16:22:33 +0800
Subject: [PATCH 2/2] chore: update README

We have attestation now.
---
 README.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 5dc533e..31b2949 100644
--- a/README.md
+++ b/README.md
@@ -15,17 +15,18 @@ It also automatically builds and tests your code using [GitHub Actions](https://
 
 ## Features
 
-* Use [GoReleaser](https://goreleaser.com/) to automatically build and create GitHub Releases and Docker images on merge to `main`.
+* Use [GoReleaser](https://goreleaser.com/) to automatically build and create GitHub Releases and container images on merge to `main`.
 
     * This uses the [Conventional Commits Versioner](https://github.com/smlx/ccv) to automatically version each release.
 
-* Lint your commit messages, and your Go, GitHub Action, and Dockerfile code.
+* Lint your commit messages, Go code, GitHub Actions, and Dockerfiles.
 * Test Pull Requests using `go test`.
-* Build Docker images from Pull Requests for manual testing and review.
+* Build container images from Pull Requests and push them to the GitHub container registry for manual testing and review.
 * Static code analysis using [CodeQL](https://codeql.github.com/) and [Go Report Card](https://goreportcard.com/).
 * Coverage analysis using the [go-test-coverage action](https://github.com/vladopajic/go-test-coverage).
 * Security analysis using [OpenSSF](https://securityscorecards.dev).
-* Signed binary artifacts using [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
+* Signed binary and container release artifacts using [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
+* SBOM generation for both release artifacts and container images, with image SBOMs pushed to the container registry.
 
 ## How to use