From c84a8c166fe8e6f59b8ab7cd6e13131c61384fff Mon Sep 17 00:00:00 2001
From: Scott Andrews <scott@andrews.me>
Date: Mon, 25 May 2026 13:08:22 -0400
Subject: [PATCH 1/2] Use cargo-auditable to generate sboms

Signed-off-by: Scott Andrews <scott@andrews.me>
---
 .github/workflows/publish.yaml | 1 +
 Dockerfile                     | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 5dda1f5..51a220c 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -124,6 +124,7 @@ jobs:
           --label org.opencontainers.image.vendor="Componentized <https://github.com/componentized>" \
           --label org.opencontainers.image.version="${{ inputs.tag }}" \
           --label org.opencontainers.image.url="${{ github.server_url }}/${{ github.repository }}" \
+          --sbom \
           .
 
         mkdir "wasmtime-${{ inputs.tag }}-${{ matrix.arch }}"
diff --git a/Dockerfile b/Dockerfile
index 32b4fc3..09688b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,8 +5,9 @@ RUN \
   apt-get update ; \
   apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y ; \
   rustup target add $(arch)-unknown-linux-musl ; \
+  cargo install --locked cargo-auditable ; \
   if [ "${wasmtime_crate}" = "" ] ; then \
-    cargo install \
+    cargo auditable install \
       --target "$(arch)-unknown-linux-musl" \
       --git https://github.com/bytecodealliance/wasmtime.git \
       --rev "${wasmtime_git_rev}" \
@@ -14,7 +15,7 @@ RUN \
       wasmtime-cli \
     ; \
   else \
-    cargo install \
+    cargo auditable install \
       --target "$(arch)-unknown-linux-musl" \
       --locked \
       wasmtime-cli@${wasmtime_crate} \

From daef389714b0686190750a8c515180b6db67f80f Mon Sep 17 00:00:00 2001
From: Scott Andrews <scott@andrews.me>
Date: Mon, 25 May 2026 13:10:08 -0400
Subject: [PATCH 2/2] typo

Signed-off-by: Scott Andrews <scott@andrews.me>
---
 .github/workflows/publish.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 51a220c..78d4a74 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -124,7 +124,7 @@ jobs:
           --label org.opencontainers.image.vendor="Componentized <https://github.com/componentized>" \
           --label org.opencontainers.image.version="${{ inputs.tag }}" \
           --label org.opencontainers.image.url="${{ github.server_url }}/${{ github.repository }}" \
-          --sbom \
+          --sbom=true \
           .
 
         mkdir "wasmtime-${{ inputs.tag }}-${{ matrix.arch }}"