mirror of
https://github.com/anchore/grype
synced 2024-11-10 06:34:13 +00:00
9cd917d29c
* update grype to compile windows Signed-off-by: spiffcs <christopher.phillips@anchore.com> Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * update go mod with new stereoscope Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * update build comments Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * small build tags Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * add goreleaser windows Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * bump syft version Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * update tests Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * update test images to use newest pinned golang Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
139 lines
4.9 KiB
YAML
139 lines
4.9 KiB
YAML
release:
|
|
# If set to auto, will mark the release as not ready for production
|
|
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
|
|
# If set to true, will mark the release as not ready for production.
|
|
prerelease: auto
|
|
|
|
# If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
|
|
draft: true
|
|
|
|
builds:
|
|
- binary: grype
|
|
id: grype
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
- windows
|
|
- linux
|
|
goarch:
|
|
- amd64
|
|
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
|
|
mod_timestamp: '{{ .CommitTimestamp }}'
|
|
ldflags: |
|
|
-w
|
|
-s
|
|
-extldflags '-static'
|
|
-X github.com/anchore/grype/internal/version.version={{.Version}}
|
|
-X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}}
|
|
-X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
|
|
-X github.com/anchore/grype/internal/version.buildDate={{.Date}}
|
|
-X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
|
|
- binary: grype
|
|
id: grype-arm64
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
- linux
|
|
goarch:
|
|
- arm64
|
|
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
|
|
mod_timestamp: '{{ .CommitTimestamp }}'
|
|
ldflags: |
|
|
-w
|
|
-s
|
|
-extldflags '-static'
|
|
-X github.com/anchore/grype/internal/version.version={{.Version}}
|
|
-X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}}
|
|
-X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
|
|
-X github.com/anchore/grype/internal/version.buildDate={{.Date}}
|
|
-X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
|
|
|
|
# For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser
|
|
- binary: grype
|
|
id: grype-macos
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
- darwin
|
|
goarch:
|
|
- amd64
|
|
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
|
|
mod_timestamp: '{{ .CommitTimestamp }}'
|
|
ldflags: |
|
|
-w
|
|
-s
|
|
-extldflags '-static'
|
|
-X github.com/anchore/grype/internal/version.version={{.Version}}
|
|
-X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}}
|
|
-X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
|
|
-X github.com/anchore/grype/internal/version.buildDate={{.Date}}
|
|
-X github.com/anchore/grype/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
|
|
|
|
archives:
|
|
- format: tar.gz
|
|
builds:
|
|
- grype # i.e. Linux only
|
|
- grype-arm64
|
|
- format: zip # This is a hack! We don't actually intend to use _this_ ZIP file, we just need goreleaser to consider the ZIP file produced by gon (which will have the same file name) to be an artifact so we can use it downstream in publishing (e.g. to a homebrew tap)
|
|
id: grype-zip
|
|
builds:
|
|
- grype-macos
|
|
|
|
signs:
|
|
- artifacts: checksum
|
|
cmd: sh
|
|
args:
|
|
- '-c'
|
|
# we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step
|
|
# note: sed -i is not portable
|
|
- 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}'
|
|
- id: grype-macos-signing
|
|
ids:
|
|
- grype-macos
|
|
cmd: ./.github/scripts/mac-sign-and-notarize.sh
|
|
signature: "grype_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step.
|
|
args:
|
|
- "{{ .IsSnapshot }}"
|
|
- "gon.hcl"
|
|
- "./dist/grype_{{ .Version }}_darwin_amd64"
|
|
artifacts: all
|
|
|
|
nfpms:
|
|
- license: "Apache 2.0"
|
|
maintainer: "Anchore, Inc"
|
|
homepage: &website "https://github.com/anchore/grype"
|
|
description: &description "A vulnerability scanner for container images and filesystems"
|
|
formats:
|
|
- rpm
|
|
- deb
|
|
|
|
brews:
|
|
- tap:
|
|
owner: anchore
|
|
name: homebrew-grype
|
|
install: |
|
|
bin.install "grype"
|
|
|
|
# Install bash completion
|
|
output = Utils.popen_read("#{bin}/grype completion bash")
|
|
(bash_completion/"grype").write output
|
|
|
|
# Install zsh completion
|
|
output = Utils.popen_read("#{bin}/grype completion zsh")
|
|
(zsh_completion/"_grype").write output
|
|
homepage: *website
|
|
description: *description
|
|
|
|
dockers:
|
|
- dockerfile: Dockerfile
|
|
image_templates:
|
|
- "anchore/grype:latest"
|
|
- "anchore/grype:{{ .Tag }}"
|
|
- "anchore/grype:v{{ .Major }}"
|
|
- "anchore/grype:v{{ .Major }}.{{ .Minor }}"
|
|
build_flag_templates:
|
|
- "--build-arg=BUILD_DATE={{.Date}}"
|
|
- "--build-arg=BUILD_VERSION={{.Version}}"
|
|
- "--build-arg=VCS_REF={{.FullCommit}}"
|
|
- "--build-arg=VCS_URL={{.GitURL}}"
|
|
use: buildx
|