From e3753f2045dc9cc931d298b3ea6f1af02449c706 Mon Sep 17 00:00:00 2001
From: AFS Research Team <research@neuralcompute.ai>
Date: Sat, 23 May 2026 16:24:31 -0500
Subject: [PATCH] Harden release and install guidance

---
 .github/workflows/ci.yml             |  2 +-
 .goreleaser.yaml                     |  5 ++++
 README.md                            | 10 ++++---
 cmd/bumblebee/release_policy_test.go | 42 ++++++++++++++++++++++++++++
 4 files changed, 54 insertions(+), 5 deletions(-)
 create mode 100644 cmd/bumblebee/release_policy_test.go

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e213c7a..6acdeab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,7 +66,7 @@ jobs:
           check-latest: true
 
       - name: install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.3.0
 
       - name: govulncheck
         run: govulncheck ./...
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 6326c09..60e9834 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -35,6 +35,11 @@ archives:
       - README.md
       - threat_intel/**
 
+sboms:
+  - id: archive
+    disable: false
+    artifacts: archive
+
 checksum:
   name_template: checksums.txt
   algorithm: sha256
diff --git a/README.md b/README.md
index a94e626..60fe358 100644
--- a/README.md
+++ b/README.md
@@ -54,11 +54,10 @@ Per-ecosystem detail: [docs/inventory-sources.md](docs/inventory-sources.md).
 Requires Go 1.25+. Zero non-stdlib dependencies.
 
 ```sh
-# Install the latest tagged release into $GOBIN.
-go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest
-
-# Or pin a specific tag.
+# Install a tagged release into $GOBIN.
 go install github.com/perplexityai/bumblebee/cmd/bumblebee@v0.1.1
+
+# Replace v0.1.1 with the tagged release you trust.
 ```
 
 To build from a checkout:
@@ -80,6 +79,9 @@ back to a specific build. Version precedence: `-ldflags` override,
 module version recorded by `go install`, then the in-tree default
 tracked in `VERSION`.
 
+Release archives published by GoReleaser include checksums and SBOMs
+alongside the binary artifacts.
+
 ### Self-test
 
 After installing, run a built-in end-to-end check against embedded
diff --git a/cmd/bumblebee/release_policy_test.go b/cmd/bumblebee/release_policy_test.go
new file mode 100644
index 0000000..f85ea39
--- /dev/null
+++ b/cmd/bumblebee/release_policy_test.go
@@ -0,0 +1,42 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func readRepoFile(t *testing.T, rel string) string {
+	t.Helper()
+	path := filepath.Join("..", "..", rel)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read %s: %v", rel, err)
+	}
+	return string(data)
+}
+
+func TestReleasePolicyNoLatestInstallPaths(t *testing.T) {
+	readme := readRepoFile(t, "README.md")
+	if strings.Contains(readme, "go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest") {
+		t.Fatal("README still advertises an unpinned @latest install path")
+	}
+	ci := readRepoFile(t, ".github/workflows/ci.yml")
+	if strings.Contains(ci, "golang.org/x/vuln/cmd/govulncheck@latest") {
+		t.Fatal("CI still installs govulncheck from @latest")
+	}
+}
+
+func TestReleasePolicySBOMConfigured(t *testing.T) {
+	goreleaser := readRepoFile(t, ".goreleaser.yaml")
+	for _, want := range []string{
+		"sboms:",
+		"disable: false",
+		"artifacts: archive",
+	} {
+		if !strings.Contains(goreleaser, want) {
+			t.Fatalf(".goreleaser.yaml missing %q", want)
+		}
+	}
+}