try to setup sboms

2025-12-23 16:47:47 -06:00 · 2025-12-23 16:47:47 -06:00 · c546dffb52
parent 0d39302c19
commit c546dffb52
2 changed files with 50 additions and 9 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -23,6 +23,8 @@ jobs:
        with:
          fetch-depth: 0
      - run: git fetch --force --tags
+      - uses: anchore/sbom-action/download-syft@v0.7.0 # installs syft
+      - uses: sigstore/cosign-installer@v2.1.0         # installs cosign
      - name: Install RPM tooling
        run: sudo apt-get install -y rpm
      - name: Set up QEMU
@ -92,4 +94,4 @@ jobs:
          -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
          -H "X-GitHub-Api-Version: 2022-11-28" \
          https://api.github.com/repos/unpoller/helm-chart/actions/workflows/OnUnpollerRelease/dispatches \
-          -d '{"ref":"main","inputs":{"unpoller_version":"${{github.ref_name}}" }}'
+          -d '{"ref":"main","inputs":{"unpoller_version":"${{github.ref_name}}" }}'
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -77,14 +77,14 @@ builds:

 archives:
  - id: unpoller
-    builds:
+    ids:
      - unpoller
    files:
      - LICENSE
      - README.md
      - examples/up.*.example
  - id: unpoller-linux-arm
-    builds:
+    ids:
      - unpoller-linux-arm
    files:
      - LICENSE
@ -92,7 +92,7 @@ archives:
      - unpoller_manual.html
      - examples/up.*.example
  - id: unpoller-mac
-    builds:
+    ids:
      - unpoller-mac
    files:
      - LICENSE
@ -102,8 +102,9 @@ archives:
  - id: unpoller-windows
    format_overrides:
      - goos: windows
-        format: zip
-    builds:
+        formats:
+          - zip
+    ids:
      - unpoller-windows
    files:
      - LICENSE
@ -113,9 +114,10 @@ archives:
      - examples/up.*.example
      - init/windows/application.ico
  - id: unpoller-freebsd-pkg
-    builds:
+    ids:
      - unpoller-freebsd
-    format: tar.xz
+    formats:
+      - tar.xz
    wrap_in_directory: false
    files:
      # config files
@ -309,9 +311,22 @@ docker_manifests:
      - "golift/unifi-poller:v{{ .Major }}-arm64v8"
      - "golift/unifi-poller:v{{ .Major }}-armv7"

+
+# signs our docker image
+# https://goreleaser.com/customization/docker_sign
+docker_signs:
+  - cmd: cosign
+    env:
+    - COSIGN_EXPERIMENTAL=1
+    artifacts: images
+    output: true
+    args:
+    - 'sign'
+    - '${artifact}'
+
 nfpms:
  - id: unpoller-packages
-    builds:
+    ids:
      - unpoller
      - unpoller-linux-arm
    file_name_template: '{{ .ProjectName }}_{{ if eq .Os "darwin" }}macOS{{ else if eq .Os "linux" }}Tux{{ else }}{{ .Os }}{{ end }}_{{ if eq .Arch "386" }}32-bit{{ else if eq .Arch "amd64" }}64-bit{{ else }}{{ .Arch }}{{ end }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
@ -507,6 +522,21 @@ signs:
      - unpoller-linux-arm
      - unpoller-windows
      - unpoller-mac
+  # signs the checksum file
+  # all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to
+  # https://goreleaser.com/customization/sign
+  - id: cosign
+    cmd: cosign
+    env:
+    - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true

 universal_binaries:
  - replace: true
@ -552,6 +582,15 @@ brews:
    post_install: |
      etc.install "examples/up.conf" => "unpoller/up.conf"

+# creates SBOMs of all archives and the source tarball using syft
+# https://goreleaser.com/customization/sbom
+# Two different sbom configurations need two different IDs
+sboms:
+  - id: archive 
+    artifacts: archive
+  - id: source
+    artifacts: source
+
 publishers:
  - name: "packagecloud-publisher"
    ids: