Merge pull request #262 from anchore/fix-release

Fix release process

.goreleaser.yaml

@@ -6,10 +6,6 @@ release:
   # If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
   draft: true
 
-  # This ensures any macOS signed artifacts get included with the release.
-  extra_files:
-    - glob: "./dist/*.dmg"
-
 builds:
   - binary: syft
     id: syft
@@ -62,14 +58,17 @@ archives:
 
 signs:
   - artifacts: checksum
-    ids:
+    cmd: sh
-      - syft # i.e. Linux only
+    args:
-    args: ["--output", "${signature}", "--detach-sign", "${artifact}"]
+      - '-c'
+      # we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step
+      # note: sed -i is not portable
+      - 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}'
   - id: syft-macos-signing
-    signature: "./dist/syft_{{ .Version }}_darwin_amd64.dmg"
     ids:
       - syft-macos
     cmd: ./.github/scripts/mac-sign-and-notarize.sh
+    signature: "syft_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step.
     args:
       - "{{ .IsSnapshot }}"
       - "gon.hcl"

Makefile

@@ -272,8 +272,11 @@ release: clean-dist ci-bootstrap-mac changelog-release ## Build and publish fina
 	echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml
 	cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
 
-	# release
+	# release (note the version transformation from v0.7.0 --> 0.7.0)
-	bash -c "BUILD_GIT_TREE_STATE=$(GITTREESTATE) $(TEMPDIR)/goreleaser \
+	bash -c "\
+		BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
+		VERSION=$(VERSION:v%=%) \
+		$(TEMPDIR)/goreleaser \
 			--rm-dist \
 			--config $(TEMPDIR)/goreleaser.yaml \
 			--release-notes <(cat CHANGELOG.md)"