grype/.goreleaser.yaml
Alex Goodman a399647afc
add docker image to release process
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-03-23 10:00:13 -04:00

117 lines
4.1 KiB
YAML

release:
# If set to auto, will mark the release as not ready for production
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
# If set to true, will mark the release as not ready for production.
prerelease: auto
# If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
draft: true
builds:
- binary: grype
id: grype
env:
- CGO_ENABLED=0
goos:
# windows not supported yet (due to jotframe)
# - windows
- linux
goarch:
- amd64
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: |
-w
-s
-extldflags '-static'
-X github.com/anchore/grype/internal/version.version={{.Version}}
-X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
-X github.com/anchore/grype/internal/version.buildDate={{.Date}}
-X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
# For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser
- binary: grype
id: grype-macos
env:
- CGO_ENABLED=0
goos:
- darwin
goarch:
- amd64
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: |
-w
-s
-extldflags '-static'
-X github.com/anchore/grype/internal/version.version={{.Version}}
-X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
-X github.com/anchore/grype/internal/version.buildDate={{.Date}}
-X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
archives:
- format: tar.gz
builds:
- grype # i.e. Linux only
- format: zip # This is a hack! We don't actually intend to use _this_ ZIP file, we just need goreleaser to consider the ZIP file produced by gon (which will have the same file name) to be an artifact so we can use it downstream in publishing (e.g. to a homebrew tap)
id: grype-zip
builds:
- grype-macos
signs:
- artifacts: checksum
cmd: sh
args:
- '-c'
# we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step
# note: sed -i is not portable
- 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}'
- id: grype-macos-signing
ids:
- grype-macos
cmd: ./.github/scripts/mac-sign-and-notarize.sh
signature: "grype_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step.
args:
- "{{ .IsSnapshot }}"
- "gon.hcl"
- "./dist/grype_{{ .Version }}_darwin_amd64"
artifacts: all
nfpms:
- license: "Apache 2.0"
maintainer: "Anchore, Inc"
homepage: &website "https://github.com/anchore/grype"
description: &description "A vulnerability scanner for container images and filesystems"
formats:
- rpm
- deb
brews:
- tap:
owner: anchore
name: homebrew-grype
install: |
bin.install "grype"
# Install bash completion
output = Utils.popen_read("#{bin}/grype completion bash")
(bash_completion/"grype").write output
# Install zsh completion
output = Utils.popen_read("#{bin}/grype completion zsh")
(zsh_completion/"_grype").write output
homepage: *website
description: *description
dockers:
- dockerfile: Dockerfile
image_templates:
- "anchore/grype:latest"
- "anchore/grype:{{ .Tag }}"
- "anchore/grype:v{{ .Major }}"
- "anchore/grype:v{{ .Major }}.{{ .Minor }}"
build_flag_templates:
- "--build-arg=BUILD_DATE={{.Date}}"
- "--build-arg=BUILD_VERSION={{.Version}}"
- "--build-arg=VCS_REF={{.FullCommit}}"
- "--build-arg=VCS_URL={{.GitURL}}"
use_buildx: true