From f38c4934d18ad26ecc86d75180140355f78e2264 Mon Sep 17 00:00:00 2001
From: Vinny Barton <vbarton@shiftleftcyber.io>
Date: Wed, 22 Apr 2026 07:16:49 -0400
Subject: [PATCH] feat: update release

---
 .github/workflows/release-cli.yml | 16 ++++++++
 .goreleaser.yml                   | 66 +++++++++++++++++++++++++++++++
 Dockerfile.goreleaser             |  8 ++++
 README.md                         |  5 ++-
 4 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 Dockerfile.goreleaser

diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
index 7018eff..2a6ff68 100644
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   release:
@@ -27,6 +28,20 @@ jobs:
           go-version-file: go.mod
           cache: true
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Derive image name
+        shell: bash
+        run: echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
+
       - name: Run Goreleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -35,3 +50,4 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IMAGE: ${{ env.IMAGE }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 6097223..964f478 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -21,3 +21,69 @@ archives:
 
 checksum:
   name_template: checksums.txt
+
+dockers:
+  - id: cli-amd64
+    ids:
+      - sbom-offline-verification
+    goos: linux
+    goarch: amd64
+    image_templates:
+      - "{{ .Env.IMAGE }}:{{ .Tag }}-amd64"
+      - "{{ .Env.IMAGE }}:v{{ .Major }}-amd64"
+      - "{{ .Env.IMAGE }}:v{{ .Major }}.{{ .Minor }}-amd64"
+      - "{{ .Env.IMAGE }}:latest-amd64"
+    dockerfile: Dockerfile.goreleaser
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.description=Secure SBOM verification CLI"
+      - "--label=org.opencontainers.image.name={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.source={{ .GitURL }}"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+
+  - id: cli-arm64
+    ids:
+      - sbom-offline-verification
+    goos: linux
+    goarch: arm64
+    image_templates:
+      - "{{ .Env.IMAGE }}:{{ .Tag }}-arm64"
+      - "{{ .Env.IMAGE }}:v{{ .Major }}-arm64"
+      - "{{ .Env.IMAGE }}:v{{ .Major }}.{{ .Minor }}-arm64"
+      - "{{ .Env.IMAGE }}:latest-arm64"
+    dockerfile: Dockerfile.goreleaser
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.description=Secure SBOM verification CLI"
+      - "--label=org.opencontainers.image.name={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.source={{ .GitURL }}"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+
+docker_manifests:
+  - name_template: "{{ .Env.IMAGE }}:{{ .Tag }}"
+    image_templates:
+      - "{{ .Env.IMAGE }}:{{ .Tag }}-amd64"
+      - "{{ .Env.IMAGE }}:{{ .Tag }}-arm64"
+
+  - name_template: "{{ .Env.IMAGE }}:v{{ .Major }}.{{ .Minor }}"
+    image_templates:
+      - "{{ .Env.IMAGE }}:v{{ .Major }}.{{ .Minor }}-amd64"
+      - "{{ .Env.IMAGE }}:v{{ .Major }}.{{ .Minor }}-arm64"
+
+  - name_template: "{{ .Env.IMAGE }}:v{{ .Major }}"
+    image_templates:
+      - "{{ .Env.IMAGE }}:v{{ .Major }}-amd64"
+      - "{{ .Env.IMAGE }}:v{{ .Major }}-arm64"
+
+  - name_template: "{{ .Env.IMAGE }}:latest"
+    image_templates:
+      - "{{ .Env.IMAGE }}:latest-amd64"
+      - "{{ .Env.IMAGE }}:latest-arm64"
diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser
new file mode 100644
index 0000000..9241c8c
--- /dev/null
+++ b/Dockerfile.goreleaser
@@ -0,0 +1,8 @@
+FROM gcr.io/distroless/static-debian12:nonroot
+
+ARG TARGETPLATFORM
+
+WORKDIR /
+COPY ${TARGETPLATFORM}/sbom-offline-verification /usr/local/bin/sbom-offline-verification
+
+ENTRYPOINT ["/usr/local/bin/sbom-offline-verification"]
diff --git a/README.md b/README.md
index 4a8ee61..7d6041b 100644
--- a/README.md
+++ b/README.md
@@ -105,7 +105,10 @@ GOEXPERIMENT=jsonv2 go run ./cmd/sbom-offline-verification \
 
 Tagged releases matching `vX.X.X` are built with Goreleaser using
 [.goreleaser.yml](.goreleaser.yml). The release workflow publishes multi-platform
-CLI archives and a checksum file to the GitHub release.
+CLI archives, a checksum file, and a container image to GitHub-hosted release
+surfaces. The container image is published to GitHub Container Registry as
+`ghcr.io/<owner>/<repo>` for `linux/amd64` and `linux/arm64`, with tags for the
+full version, `vMAJOR.MINOR`, `vMAJOR`, and `latest`.
 
 ## Examples