diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 93ac832c6..eaf89dfc3 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -14,11 +14,7 @@ builds: dir: ./cmd/syft binary: syft goos: [linux] - goarch: - - amd64 - - arm64 -# - ppc64le -# - s390x + goarch: [amd64, arm64, ppc64le, s390x] mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}' ldflags: &build-ldflags | -w @@ -29,53 +25,53 @@ builds: -X main.buildDate={{.Date}} -X main.gitDescription={{.Summary}} -# - id: darwin-build -# dir: ./cmd/syft -# binary: syft -# goos: [darwin] -# goarch: [amd64, arm64] -# mod_timestamp: *build-timestamp -# ldflags: *build-ldflags -# hooks: -# post: -# - cmd: .tool/quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv -# env: -# - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log -# -# - id: windows-build -# dir: ./cmd/syft -# binary: syft -# goos: [windows] -# goarch: [amd64, arm64] -# mod_timestamp: *build-timestamp -# ldflags: *build-ldflags + - id: darwin-build + dir: ./cmd/syft + binary: syft + goos: [darwin] + goarch: [amd64, arm64] + mod_timestamp: *build-timestamp + ldflags: *build-ldflags + hooks: + post: + - cmd: .tool/quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv + env: + - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log + + - id: windows-build + dir: ./cmd/syft + binary: syft + goos: [windows] + goarch: [amd64, arm64] + mod_timestamp: *build-timestamp + ldflags: *build-ldflags archives: - id: linux-archives ids: [linux-build] -# - id: darwin-archives -# ids: [darwin-build] -# - id: windows-archives -# formats: -# - zip -# ids: [windows-build] + - id: darwin-archives + ids: [darwin-build] + - id: windows-archives + formats: + - zip + ids: [windows-build] -#nfpms: -# - license: "Apache 2.0" -# maintainer: "Anchore, Inc" -# homepage: &website "https://github.com/anchore/syft" -# description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems" -# formats: [rpm, deb] -# -#brews: -# - repository: -# owner: anchore -# name: homebrew-syft -# token: "{{.Env.GITHUB_BREW_TOKEN}}" -# ids: [darwin-archives, linux-archives] -# homepage: *website -# description: *description -# license: "Apache License 2.0" +nfpms: + - license: "Apache 2.0" + maintainer: "Anchore, Inc" + homepage: &website "https://github.com/anchore/syft" + description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems" + formats: [rpm, deb] + +brews: + - repository: + owner: anchore + name: homebrew-syft + token: "{{.Env.GITHUB_BREW_TOKEN}}" + ids: [darwin-archives, linux-archives] + homepage: *website + description: *description + license: "Apache License 2.0" dockers: # production images... @@ -105,31 +101,31 @@ dockers: - "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_URL={{.GitURL}}" -# - image_templates: -# - anchore/syft:{{.Tag}}-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-ppc64le -# goarch: ppc64le -# dockerfile: Dockerfile -# use: buildx -# build_flag_templates: -# - "--platform=linux/ppc64le" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" -# -# - image_templates: -# - anchore/syft:{{.Tag}}-s390x -# - ghcr.io/anchore/syft:{{.Tag}}-s390x -# goarch: s390x -# dockerfile: Dockerfile -# use: buildx -# build_flag_templates: -# - "--platform=linux/s390x" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" + - image_templates: + - anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + goarch: ppc64le + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-s390x + - ghcr.io/anchore/syft:{{.Tag}}-s390x + goarch: s390x + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" # nonroot images... - image_templates: @@ -158,192 +154,193 @@ dockers: - "--build-arg=VCS_REF={{.FullCommit}}" - "--build-arg=VCS_URL={{.GitURL}}" -# - image_templates: -# - anchore/syft:{{.Tag}}-nonroot-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le -# goarch: ppc64le -# dockerfile: Dockerfile.nonroot -# use: buildx -# build_flag_templates: -# - "--platform=linux/ppc64le" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" -# -# - image_templates: -# - anchore/syft:{{.Tag}}-nonroot-s390x -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x -# goarch: s390x -# dockerfile: Dockerfile.nonroot -# use: buildx -# build_flag_templates: -# - "--platform=linux/s390x" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" + - image_templates: + - anchore/syft:{{.Tag}}-nonroot-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le + goarch: ppc64le + dockerfile: Dockerfile.nonroot + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" -# # debug images... -# - image_templates: -# - anchore/syft:{{.Tag}}-debug-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64 -# goarch: amd64 -# dockerfile: Dockerfile.debug -# use: buildx -# build_flag_templates: -# - "--platform=linux/amd64" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" -# -# - image_templates: -# - anchore/syft:{{.Tag}}-debug-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 -# goarch: arm64 -# dockerfile: Dockerfile.debug -# use: buildx -# build_flag_templates: -# - "--platform=linux/arm64/v8" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" -# -# - image_templates: -# - anchore/syft:{{.Tag}}-debug-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le -# goarch: ppc64le -# dockerfile: Dockerfile.debug -# use: buildx -# build_flag_templates: -# - "--platform=linux/ppc64le" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" -# -# - image_templates: -# - anchore/syft:{{.Tag}}-debug-s390x -# - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x -# goarch: s390x -# dockerfile: Dockerfile.debug -# use: buildx -# build_flag_templates: -# - "--platform=linux/s390x" -# - "--build-arg=BUILD_DATE={{.Date}}" -# - "--build-arg=BUILD_VERSION={{.Version}}" -# - "--build-arg=VCS_REF={{.FullCommit}}" -# - "--build-arg=VCS_URL={{.GitURL}}" + - image_templates: + - anchore/syft:{{.Tag}}-nonroot-s390x + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x + goarch: s390x + dockerfile: Dockerfile.nonroot + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + # debug images... + - image_templates: + - anchore/syft:{{.Tag}}-debug-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64 + goarch: amd64 + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/amd64" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + goarch: arm64 + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/arm64/v8" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + goarch: ppc64le + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-debug-s390x + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + goarch: s390x + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" docker_manifests: - name_template: anchore/syft:latest image_templates: - anchore/syft:{{.Tag}}-amd64 - anchore/syft:{{.Tag}}-arm64v8 -# - anchore/syft:{{.Tag}}-ppc64le -# - anchore/syft:{{.Tag}}-s390x + - anchore/syft:{{.Tag}}-ppc64le + - anchore/syft:{{.Tag}}-s390x -# - name_template: ghcr.io/anchore/syft:latest -# image_templates: -# - ghcr.io/anchore/syft:{{.Tag}}-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-s390x -# -# - name_template: anchore/syft:{{.Tag}} -# image_templates: -# - anchore/syft:{{.Tag}}-amd64 -# - anchore/syft:{{.Tag}}-arm64v8 -# - anchore/syft:{{.Tag}}-ppc64le -# - anchore/syft:{{.Tag}}-s390x -# -# - name_template: ghcr.io/anchore/syft:{{.Tag}} -# image_templates: -# - ghcr.io/anchore/syft:{{.Tag}}-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-s390x -# -# # nonroot images... -# - name_template: anchore/syft:nonroot -# image_templates: -# - anchore/syft:{{.Tag}}-nonroot-amd64 -# - anchore/syft:{{.Tag}}-nonroot-arm64v8 -# - anchore/syft:{{.Tag}}-nonroot-ppc64le -# - anchore/syft:{{.Tag}}-nonroot-s390x -# -# - name_template: ghcr.io/anchore/syft:nonroot -# image_templates: -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x -# -# - name_template: anchore/syft:{{.Tag}}-nonroot -# image_templates: -# - anchore/syft:{{.Tag}}-nonroot-amd64 -# - anchore/syft:{{.Tag}}-nonroot-arm64v8 -# - anchore/syft:{{.Tag}}-nonroot-ppc64le -# - anchore/syft:{{.Tag}}-nonroot-s390x -# -# - name_template: ghcr.io/anchore/syft:{{.Tag}}-nonroot -# image_templates: -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x -# -# # debug images... -# - name_template: anchore/syft:debug -# image_templates: -# - anchore/syft:{{.Tag}}-debug-amd64 -# - anchore/syft:{{.Tag}}-debug-arm64v8 -# - anchore/syft:{{.Tag}}-debug-ppc64le -# - anchore/syft:{{.Tag}}-debug-s390x -# -# - name_template: ghcr.io/anchore/syft:debug -# image_templates: -# - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x -# -# - name_template: anchore/syft:{{.Tag}}-debug -# image_templates: -# - anchore/syft:{{.Tag}}-debug-amd64 -# - anchore/syft:{{.Tag}}-debug-arm64v8 -# - anchore/syft:{{.Tag}}-debug-ppc64le -# - anchore/syft:{{.Tag}}-debug-s390x -# -# - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug -# image_templates: -# - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64 -# - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 -# - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le -# - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + - name_template: ghcr.io/anchore/syft:latest + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-s390x -#sboms: -# - artifacts: archive -# cmd: ../.tool/syft -# documents: -# - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom" -# args: -# - "scan" -# - "$artifact" -# - "--output" -# - "json=$document" -# -#signs: -# - cmd: .tool/cosign -# signature: "${artifact}.sig" -# certificate: "${artifact}.pem" -# args: -# - "sign-blob" -# - "--oidc-issuer=https://token.actions.githubusercontent.com" -# - "--output-certificate=${certificate}" -# - "--output-signature=${signature}" -# - "${artifact}" -# - "--yes" -# artifacts: checksum + - name_template: anchore/syft:{{.Tag}} + image_templates: + - anchore/syft:{{.Tag}}-amd64 + - anchore/syft:{{.Tag}}-arm64v8 + - anchore/syft:{{.Tag}}-ppc64le + - anchore/syft:{{.Tag}}-s390x + + - name_template: ghcr.io/anchore/syft:{{.Tag}} + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-s390x + + # nonroot images... + - name_template: anchore/syft:nonroot + image_templates: + - anchore/syft:{{.Tag}}-nonroot-amd64 + - anchore/syft:{{.Tag}}-nonroot-arm64v8 + - anchore/syft:{{.Tag}}-nonroot-ppc64le + - anchore/syft:{{.Tag}}-nonroot-s390x + + - name_template: ghcr.io/anchore/syft:nonroot + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x + + - name_template: anchore/syft:{{.Tag}}-nonroot + image_templates: + - anchore/syft:{{.Tag}}-nonroot-amd64 + - anchore/syft:{{.Tag}}-nonroot-arm64v8 + - anchore/syft:{{.Tag}}-nonroot-ppc64le + - anchore/syft:{{.Tag}}-nonroot-s390x + + - name_template: ghcr.io/anchore/syft:{{.Tag}}-nonroot + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x + + # debug images... + - name_template: anchore/syft:debug + image_templates: + - anchore/syft:{{.Tag}}-debug-amd64 + - anchore/syft:{{.Tag}}-debug-arm64v8 + - anchore/syft:{{.Tag}}-debug-ppc64le + - anchore/syft:{{.Tag}}-debug-s390x + + - name_template: ghcr.io/anchore/syft:debug + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + + - name_template: anchore/syft:{{.Tag}}-debug + image_templates: + - anchore/syft:{{.Tag}}-debug-amd64 + - anchore/syft:{{.Tag}}-debug-arm64v8 + - anchore/syft:{{.Tag}}-debug-ppc64le + - anchore/syft:{{.Tag}}-debug-s390x + + - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64 + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + +sboms: + - artifacts: archive + cmd: ../.tool/syft + documents: + - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom" + args: + - "scan" + - "$artifact" + - "--output" + - "json=$document" + +signs: + - cmd: .tool/cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: + - "sign-blob" + - "--use-signing-config=false" + - "--oidc-issuer=https://token.actions.githubusercontent.com" + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "${artifact}" + - "--yes" + artifacts: checksum