feat: integrate sbom generation to goreleaser (#1850)

Co-authored-by: hackerman <[email protected]>
ory · Nov 2, 2021 · 305bb28 · 305bb28
1 parent 8c8815b
commit 305bb28
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 4 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -9,6 +9,7 @@ before:
   hooks:
     - go mod download
     - go mod tidy
+    - go install github.com/CycloneDX/[email protected]
 
 builds:
   -
@@ -28,8 +29,11 @@ builds:
       - amd64
     goos:
       - darwin
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -licenses -json -output "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
+        - cmd: ./.releaser/rename.sh "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
   -
-
     id: kratos-sqlite-darwin-arm
     flags:
       - -tags
@@ -46,7 +50,10 @@ builds:
       - arm64
     goos:
       - darwin
-
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -licenses -json -output "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
+        - cmd: ./.releaser/rename.sh "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
   -
     id: kratos-sqlite-linux
     flags:
@@ -61,7 +68,10 @@ builds:
       - amd64
     goos:
       - linux
-
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -licenses -json -output "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
+        - cmd: ./.releaser/rename.sh "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
   -
     id: kratos-sqlite-linux-libmusl
     flags:
@@ -77,7 +87,10 @@ builds:
       - amd64
     goos:
       - linux
-
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -licenses -json -output "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite-libmusl_{{ .Target }}.bom.json"
+        - cmd: ./.releaser/rename.sh "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite-libmusl_{{ .Target }}.bom.json"
   -
     id: kratos-sqlite-windows
     flags:
@@ -97,6 +110,10 @@ builds:
       - amd64
     goos:
       - windows
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -licenses -json -output "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
+        - cmd: ./.releaser/rename.sh "./dist/{{ .ProjectName }}_{{ .Version }}-sqlite_{{ .Target }}.bom.json"
 
   -
     id: kratos
@@ -118,6 +135,10 @@ builds:
       - linux
       - windows
       - darwin
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -licenses -json -output "./dist/{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
+        - cmd: ./.releaser/rename.sh "./dist/{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
 
 archives:
   - id: kratos-sqlite
@@ -215,6 +236,8 @@ scoop:
 
 checksum:
   algorithm: sha256
+  extra_files:
+    - glob: ./dist/*.bom.json
 
 dockers:
   - dockerfile: .docker/Dockerfile-sqlite
@@ -245,3 +268,5 @@ release:
     - kratos-sqlite
     - kratos-sqlite-libmusl
     - kratos
+  extra_files:
+    - glob: ./dist/*.bom.json
diff --git a/.releaser/rename.sh b/.releaser/rename.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# workaround script as goreleaser doesnt support 'replacements' in builds section
+# needed to adjust cyclonedx-gomod sbom files to match archive file names
+# https://github.com/goreleaser/goreleaser/issues/2617
+filename=$1
+filename_adjusted=${filename//darwin/macos}
+filename_adjusted=${filename_adjusted//386/32bit}
+filename_adjusted=${filename_adjusted//amd64/64bit}
+filename_adjusted=${filename_adjusted//arm_5/arm32v5}
+filename_adjusted=${filename_adjusted//arm_6/arm32v6}
+filename_adjusted=${filename_adjusted//arm_7/arm32v7}
+
+if [ "$filename" != "$filename_adjusted" ]; then 
+  echo "Renaming '$filename' to '$filename_adjusted' ..."
+  mv "$filename" "$filename_adjusted" 
+else 
+  echo "Skipping file '$filename' ..."
+fi
+