From f24fa2896a692b40fdb652eb59c333c58ca57332 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 22 Mar 2024 14:57:07 +0800 Subject: [PATCH] fix: switch to simple SBOM generation Switch from Snyk to Github generated SBOM because it is more detailed and simpler to generate. --- .github/workflows/release.yaml | 10 +++++++++- .gitignore | 3 +++ .goreleaser.yaml | 5 +++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 76d7e50..97f30ac 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -64,10 +64,18 @@ jobs: - name: Set up environment run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - uses: anchore/sbom-action/download-syft@9fece9e20048ca9590af301449208b2b8861333b # v0.15.9 + - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1 + id: sbom + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Move sbom to avoid dirty git + run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json + env: + GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }} - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_SBOM_PATH: ./sbom.spdx.json diff --git a/.gitignore b/.gitignore index 9b1c8b1..7e275b7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ /dist +/cover.out +/cover.out.raw +/sbom.spdx.json diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 8721c54..875dc99 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -73,3 +73,8 @@ docker_signs: - "--yes" artifacts: all output: true + +release: + extra_files: + - glob: "{{ .Env.GITHUB_SBOM_PATH }}" + name_template: "{{ .ProjectName }}.v{{ .Version }}.sbom.spdx.json"