release: # If set to auto, will mark the release as not ready for production # in case there is an indicator for this in the tag e.g. v1.0.0-rc1 # If set to true, will mark the release as not ready for production. prerelease: auto # If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing. draft: true builds: - binary: grype id: grype env: - CGO_ENABLED=0 goos: - linux goarch: - amd64 - arm64 # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build) mod_timestamp: '{{ .CommitTimestamp }}' ldflags: | -w -s -extldflags '-static' -X github.com/anchore/grype/internal/version.version={{.Version}} -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}} -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}} -X github.com/anchore/grype/internal/version.buildDate={{.Date}} -X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}} - binary: grype id: grype-win env: - CGO_ENABLED=0 goos: - windows goarch: - amd64 # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build) mod_timestamp: '{{ .CommitTimestamp }}' ldflags: | -w -s -extldflags '-static' -X github.com/anchore/grype/internal/version.version={{.Version}} -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}} -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}} -X github.com/anchore/grype/internal/version.buildDate={{.Date}} -X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}} # For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser - binary: grype id: grype-macos env: - CGO_ENABLED=0 goos: - darwin goarch: - amd64 - arm64 # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build) mod_timestamp: '{{ .CommitTimestamp }}' ldflags: | -w -s -extldflags '-static' -X github.com/anchore/grype/internal/version.version={{.Version}} -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}} -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}} -X github.com/anchore/grype/internal/version.buildDate={{.Date}} -X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}} archives: - format: tar.gz builds: - grype # i.e. Linux only - format: zip # This is a hack for grype-macos! We don't actually intend to use _this_ ZIP file, we just need goreleaser to consider the ZIP file produced by gon (which will have the same file name) to be an artifact so we can use it downstream in publishing (e.g. to a homebrew tap) id: grype-zip builds: - grype-macos - grype-win signs: - artifacts: checksum cmd: sh args: - '-c' # we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step # note: sed -i is not portable - 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}' - id: grype-macos-signing ids: - grype-macos cmd: ./.github/scripts/mac-sign-and-notarize.sh signature: "grype_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step. args: - "{{ .IsSnapshot }}" - "gon.hcl" - "./dist/grype_{{ .Version }}_darwin_amd64" artifacts: all nfpms: - license: "Apache 2.0" maintainer: "Anchore, Inc" homepage: &website "https://github.com/anchore/grype" description: &description "A vulnerability scanner for container images and filesystems" formats: - rpm - deb brews: - tap: owner: anchore name: homebrew-grype install: | bin.install "grype" # Install bash completion output = Utils.popen_read("#{bin}/grype completion bash") (bash_completion/"grype").write output # Install zsh completion output = Utils.popen_read("#{bin}/grype completion zsh") (zsh_completion/"_grype").write output homepage: *website description: *description dockers: - image_templates: - "anchore/grype:latest" - "anchore/grype:{{ .Tag }}-amd64" - "anchore/grype:v{{ .Major }}-amd64" - "anchore/grype:v{{ .Major }}.{{ .Minor }}-amd64" dockerfile: Dockerfile use: buildx build_flag_templates: - "--platform=linux/amd64" - "--build-arg=BUILD_DATE={{.Date}}" - "--build-arg=BUILD_VERSION={{.Version}}" - "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_URL={{.GitURL}}" - image_templates: - "anchore/grype:{{ .Tag }}-arm64v8" - "anchore/grype:v{{ .Major }}-arm64v8" - "anchore/grype:v{{ .Major }}.{{ .Minor }}-arm64v8" goarch: arm64 dockerfile: Dockerfile use: buildx build_flag_templates: - "--platform=linux/arm64/v8" - "--build-arg=BUILD_DATE={{.Date}}" - "--build-arg=BUILD_VERSION={{.Version}}" - "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_URL={{.GitURL}}" docker_manifests: - name_template: anchore/grype:{{ .Tag }} image_templates: - anchore/grype:{{ .Tag }}-amd64 - anchore/grype:v{{ .Major }}-amd64 - anchore/grype:v{{ .Major }}.{{ .Minor }}-amd64 - anchore/grype:{{ .Tag }}-arm64v8 - anchore/grype:v{{ .Major }}-arm64v8 - anchore/grype:v{{ .Major }}.{{ .Minor }}-arm64v8 - name_template: anchore/grype:latest image_templates: - anchore/grype:{{ .Tag }}-amd64 - anchore/grype:v{{ .Major }}-amd64 - anchore/grype:v{{ .Major }}.{{ .Minor }}-amd64 - anchore/grype:{{ .Tag }}-arm64v8 - anchore/grype:v{{ .Major }}-arm64v8 - anchore/grype:v{{ .Major }}.{{ .Minor }}-arm64v8