-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: add build provenance and SBOMs, update .goreleaser.yaml
- Loading branch information
Showing
3 changed files
with
43 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,3 +17,6 @@ | |
|
|
||
| # Go workspace file | ||
| go.work | ||
|
|
||
| # created by GoReleaser | ||
| dist/ | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,42 +1,43 @@ | ||
| version: 2 | ||
|
|
||
| builds: | ||
| - goos: | ||
| - env: | ||
| - CGO_ENABLED=0 | ||
| goos: | ||
| - linux | ||
| - darwin | ||
| - windows | ||
|
|
||
| # Defaults are 386, amd64 and arm64. | ||
| goarch: | ||
| - amd64 | ||
| - arm | ||
| - arm64 | ||
| - darwin | ||
|
|
||
| # Default is only 6. | ||
| goarm: | ||
| - "6" | ||
| - "7" | ||
| - 6 | ||
| - 7 | ||
|
|
||
| # Default is only v1. | ||
| goamd64: | ||
| - v1 | ||
| - v2 | ||
| - v3 | ||
|
|
||
| # Compile static binary that also works e.g. on Alpine Linux | ||
| env: | ||
| - CGO_ENABLED=0 | ||
|
|
||
| # List of combinations of GOOS + GOARCH + GOARM to ignore. | ||
| # Default is empty. | ||
| # ignore: | ||
| # - goos: darwin | ||
| # goarch: 386 | ||
| # - goos: linux | ||
| # goarch: arm | ||
| # goarm: 7 | ||
| # - goarm: mips64 | ||
| # - gomips: hardfloat | ||
| # - goamd64: v4 | ||
|
|
||
| # Disable compressing builds as ".tar.gz" file | ||
| archives: | ||
| - format: binary | ||
| - formats: | ||
| - binary | ||
|
|
||
| # Configure the checksums filename, to allow the attestation to pick up the correct filename | ||
| checksum: | ||
| name_template: checksums.txt | ||
|
|
||
| sboms: | ||
| # By default, SBOMs are only created for tar.gz archives, but above (see "archives" section) we overrode this | ||
| # to only generate uncompressed binaries, thus we have to tell the SBOM generation to be applied to these binaries | ||
| - artifacts: binary | ||
| # By default, the files generated by Syft would cause clashes, because we are building multiple CPU versions(!) | ||
| # (e.g. v1/v2/v3 for goamd64). For instance, there would be several SBOM files having the same name, e.g.: | ||
| # cataloging cmd=syft artifact=dist/attestation-experiment_darwin_amd64_v1/attestation-experiment sbom=[attestation-experiment_1.52_darwin_amd64.sbom.json] | ||
| # cataloging cmd=syft artifact=dist/attestation-experiment_darwin_amd64_v2/attestation-experiment sbom=[attestation-experiment_1.52_darwin_amd64.sbom.json] | ||
| # and this would cause upload errors, such as | ||
| # 422 Validation Failed [{Resource:ReleaseAsset Field:name Code:already_exists Message:}] name=attestation-experiment_1.52_darwin_amd64.sbom.json | ||
| # To fix this issue, we simply configure Syft to instead use the artifact's filename as prefix | ||
| documents: | ||
| - "{{ .ArtifactName }}.sbom.json" |