release:
  # If set to auto, will mark the release as not ready for production in case there is an indicator for this in the
  # tag e.g. v1.0.0-rc1 .If set to true, will mark the release as not ready for production.
  prerelease: auto

  # If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
  draft: true

builds:
  - binary: syft
    id: syft
    env:
      - CGO_ENABLED=0
    goos:
      # windows not supported yet (due to jotframe)
      # - windows
      - linux
    goarch:
      - amd64
    # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
    mod_timestamp: '{{ .CommitTimestamp }}'
    ldflags: |
      -w
      -s
      -extldflags '-static'
      -X github.com/anchore/syft/internal/version.version={{.Version}}
      -X github.com/anchore/syft/internal/version.gitCommit={{.Commit}}
      -X github.com/anchore/syft/internal/version.buildDate={{.Date}}
      -X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
  # For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser
  - binary: syft
    id: syft-macos
    env:
      - CGO_ENABLED=0
    goos:
      - darwin
    goarch:
      - amd64
    # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
    mod_timestamp: '{{ .CommitTimestamp }}'
    ldflags: |
      -w
      -s
      -extldflags '-static'
      -X github.com/anchore/syft/internal/version.version={{.Version}}
      -X github.com/anchore/syft/internal/version.gitCommit={{.Commit}}
      -X github.com/anchore/syft/internal/version.buildDate={{.Date}}
      -X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}

archives:
  - format: tar.gz
    builds:
      - syft # i.e. Linux only
  - format: zip # This is a hack! We don't actually intend to use _this_ ZIP file, we just need goreleaser to consider the ZIP file produced by gon (which will have the same file name) to be an artifact so we can use it downstream in publishing (e.g. to a homebrew tap)
    id: syft-zip
    builds:
      - syft-macos

signs:
  - id: syft-macos-signing
    ids:
      - syft-macos
    cmd: ./.github/scripts/mac-sign-and-notarize.sh
    signature: "syft_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step.
    args:
      - "{{ .IsSnapshot }}"
      - "gon.hcl"
      - "./dist/syft_{{ .Version }}_darwin_amd64"
    artifacts: all

nfpms:
  - license: "Apache 2.0"
    maintainer: "Anchore, Inc"
    homepage: &website "https://github.com/anchore/syft"
    description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
    formats:
      - rpm
      - deb

brews:
  - tap:
      owner: anchore
      name: homebrew-syft
    homepage: *website
    description: *description