diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 1162b26..4887320 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -143,11 +143,20 @@ jobs:
           
           echo "SBOM generated successfully"
 
-      - name: Upload SBOM
-        uses: actions/upload-artifact@v3
-        with:
-          name: sbom
-          path: sbom.spdx.json
+      - name: Upload SBOM to Harbor via ORAS
+        run: |
+          curl -sSL https://install.oras.land/install.sh | sh -s -- -b /usr/local/bin
+
+          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+
+          # Authenticate (ensure $HARBOR_USERNAME and $HARBOR_TOKEN are exported already)
+          echo "${{ secrets.HARBOR_TOKEN }}" | oras login ${{ env.REGISTRY }} -u '${{ secrets.HARBOR_USERNAME }}' --password-stdin
+
+          # Push the SBOM attached to the image
+          oras push $IMAGE \
+            --artifact-type application/spdx+json \
+            --subject $IMAGE \
+            sbom.spdx.json:application/spdx+json
 
   # Job 4: Image Security Scan
   # scan: