From 72b7663813e22cdc49a426b0bc9446fb8dfef8f6 Mon Sep 17 00:00:00 2001
From: Christoph Reiter <reiter.christoph@gmail.com>
Date: Sat, 6 Sep 2025 17:36:58 +0200
Subject: [PATCH] generate-srcinfo: include fixed versions in the SBOM

See https://github.com/msys2/msys2-devtools/commit/c7d033348155a82e129c94998f89b5f4a3b9d0da
---
 .github/workflows/generate-srcinfo.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/generate-srcinfo.yml b/.github/workflows/generate-srcinfo.yml
index a036a5b2..0a303f69 100644
--- a/.github/workflows/generate-srcinfo.yml
+++ b/.github/workflows/generate-srcinfo.yml
@@ -92,7 +92,8 @@ jobs:
         run: |
           msys2-sbom create srcinfo.json.gz sbom.cdx.json
           ./bin/grype sbom:sbom.cdx.json -o cyclonedx-json --file sbom.vuln.cdx.json
-          msys2-sbom merge sbom.cdx.json sbom.vuln.cdx.json
+          ./bin/grype sbom:sbom.cdx.json -o json --file sbom.grype.json
+          msys2-sbom merge sbom.cdx.json sbom.vuln.cdx.json --grype-json sbom.grype.json
 
       - uses: actions/upload-artifact@v4
         with: