From 1fe0558cbd760bc0c324fa1018d0d8582a6544f2 Mon Sep 17 00:00:00 2001
From: Justin Abrahms <justin@abrah.ms>
Date: Mon, 24 Oct 2022 19:37:10 -0700
Subject: [PATCH 1/3] chore: Upload sbom to release

Signed-off-by: Justin Abrahms <justin@abrah.ms>
---
 .github/workflows/release-please.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index bb5f249a2..2fa0f4f07 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -128,4 +128,4 @@ jobs:
               config/webhook/certificate.yaml
               config/rendered/release.yaml
               config/samples/end-to-end.yaml
-
+              ${{ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT}}

From 4f1c392a663ff45532a880e291a102e2591aedc4 Mon Sep 17 00:00:00 2001
From: Justin Abrahms <justin@abrah.ms>
Date: Mon, 24 Oct 2022 19:41:10 -0700
Subject: [PATCH 2/3] chore: Exclude signed releases since we don't use github
 releases for distribution

Signed-off-by: Justin Abrahms <justin@abrah.ms>
---
 .clomonitor.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .clomonitor.yml

diff --git a/.clomonitor.yml b/.clomonitor.yml
new file mode 100644
index 000000000..5d5b53e45
--- /dev/null
+++ b/.clomonitor.yml
@@ -0,0 +1,10 @@
+
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+
+# Check identifiers are here https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions (look for "id")
+exemptions:
+  - check: signed_releases
+    reason: "Our releases are signed in GHCR via cosign"

From 7bd644a4c733ac9ec6c7d9f6f7c3fec46f4a62ad Mon Sep 17 00:00:00 2001
From: Justin Abrahms <justin@abrah.ms>
Date: Mon, 24 Oct 2022 19:50:38 -0700
Subject: [PATCH 3/3] fix: explicitly name sbom for inclusion

Signed-off-by: Justin Abrahms <justin@abrah.ms>
---
 .github/workflows/release-please.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 2fa0f4f07..b11b20c50 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -119,6 +119,8 @@ jobs:
             IMG=ghcr.io/open-feature/open-feature-operator:${{ needs.release-please.outputs.release_tag_name }} make release-manifests
 
         - uses: anchore/sbom-action@v0
+          with:
+            artifact-name: open-feature-operator.spdx.json
 
         - name: Release
           uses: softprops/action-gh-release@v1
@@ -128,4 +130,4 @@ jobs:
               config/webhook/certificate.yaml
               config/rendered/release.yaml
               config/samples/end-to-end.yaml
-              ${{ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT}}
+              open-feature-operator.spdx.json