mirror of
https://github.com/anchore/syft
synced 2024-11-13 23:57:07 +00:00
a56292e2e0
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
92 lines
3.3 KiB
YAML
92 lines
3.3 KiB
YAML
release:
|
|
# If set to auto, will mark the release as not ready for production in case there is an indicator for this in the
|
|
# tag e.g. v1.0.0-rc1 .If set to true, will mark the release as not ready for production.
|
|
prerelease: auto
|
|
|
|
# If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
|
|
draft: true
|
|
|
|
builds:
|
|
- binary: syft
|
|
id: syft
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
# windows not supported yet (due to jotframe)
|
|
# - windows
|
|
- linux
|
|
goarch:
|
|
- amd64
|
|
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
|
|
mod_timestamp: '{{ .CommitTimestamp }}'
|
|
ldflags: |
|
|
-w
|
|
-s
|
|
-extldflags '-static'
|
|
-X github.com/anchore/syft/internal/version.version={{.Version}}
|
|
-X github.com/anchore/syft/internal/version.gitCommit={{.Commit}}
|
|
-X github.com/anchore/syft/internal/version.buildDate={{.Date}}
|
|
-X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
|
|
# For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser
|
|
- binary: syft
|
|
id: syft-macos
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
- darwin
|
|
goarch:
|
|
- amd64
|
|
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
|
|
mod_timestamp: '{{ .CommitTimestamp }}'
|
|
ldflags: |
|
|
-w
|
|
-s
|
|
-extldflags '-static'
|
|
-X github.com/anchore/syft/internal/version.version={{.Version}}
|
|
-X github.com/anchore/syft/internal/version.gitCommit={{.Commit}}
|
|
-X github.com/anchore/syft/internal/version.buildDate={{.Date}}
|
|
-X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
|
|
|
|
archives:
|
|
- format: tar.gz
|
|
builds:
|
|
- syft # i.e. Linux only
|
|
- format: zip # This is a hack! We don't actually intend to use _this_ ZIP file, we just need goreleaser to consider the ZIP file produced by gon (which will have the same file name) to be an artifact so we can use it downstream in publishing (e.g. to a homebrew tap)
|
|
id: syft-zip
|
|
builds:
|
|
- syft-macos
|
|
|
|
signs:
|
|
- artifacts: checksum
|
|
cmd: sh
|
|
args:
|
|
- '-c'
|
|
# we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step
|
|
# note: sed -i is not portable
|
|
- 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}'
|
|
- id: syft-macos-signing
|
|
ids:
|
|
- syft-macos
|
|
cmd: ./.github/scripts/mac-sign-and-notarize.sh
|
|
signature: "syft_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step.
|
|
args:
|
|
- "{{ .IsSnapshot }}"
|
|
- "gon.hcl"
|
|
- "./dist/syft_{{ .Version }}_darwin_amd64"
|
|
artifacts: all
|
|
|
|
nfpms:
|
|
- license: "Apache 2.0"
|
|
maintainer: "Anchore, Inc"
|
|
homepage: &website "https://github.com/anchore/syft"
|
|
description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
|
|
formats:
|
|
- rpm
|
|
- deb
|
|
|
|
brews:
|
|
- tap:
|
|
owner: anchore
|
|
name: homebrew-syft
|
|
homepage: *website
|
|
description: *description
|