release:
  # If set to auto, will mark the release as not ready for production
  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
  # If set to true, will mark the release as not ready for production.
  prerelease: auto

  # If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
  draft: true

  # This ensures any macOS signed artifacts get included with the release.
  extra_files:
    - glob: "./dist/*.dmg"

builds:
  - binary: grype
    id: grype
    env:
      - CGO_ENABLED=0
    goos:
      # windows not supported yet (due to jotframe)
      # - windows
      - linux
    goarch:
      - amd64
    # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
    mod_timestamp: '{{ .CommitTimestamp }}'
    ldflags: |
      -w
      -s
      -extldflags '-static'
      -X github.com/anchore/grype/internal/version.version={{.Version}}
      -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
      -X github.com/anchore/grype/internal/version.buildDate={{.Date}}
      -X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
  # For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser
  - binary: grype
    id: grype-macos
    env:
      - CGO_ENABLED=0
    goos:
      - darwin
    goarch:
      - amd64
    # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
    mod_timestamp: '{{ .CommitTimestamp }}'
    ldflags: |
      -w
      -s
      -extldflags '-static'
      -X github.com/anchore/grype/internal/version.version={{.Version}}
      -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
      -X github.com/anchore/grype/internal/version.buildDate={{.Date}}
      -X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
    hooks:
      post: ./.github/scripts/mac-sign-and-notarize.sh "{{.IsSnapshot}}" "gon.hcl" "./dist/grype_{{.Version}}_{{.Target}}.dmg"

signs:
  - artifacts: checksum
    args: ["--output", "${signature}", "--detach-sign", "${artifact}"]

nfpms:
  - license: "Apache 2.0"
    maintainer: "Anchore, Inc"
    homepage: &website "https://github.com/anchore/grype"
    description: &description "A vulnerability scanner for container images and filesystems"
    formats:
      - rpm
      - deb

brews:
  - tap:
      owner: anchore
      name: homebrew-grype
    homepage: *website
    description: *description

archives:
  - format: tar.gz
    builds:
      - grype # i.e. Linux only
    format_overrides:
      - goos: windows
        format: zip