@@ -108,6 +108,8 @@ jobs:
108108 context : .
109109 file : ./${{ matrix.path }}/build.Dockerfile
110110 platforms : linux/amd64,linux/arm64
111+ provenance : mode=max
112+ sbom : true
111113 push : true
112114 tags : |
113115 ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:latest
@@ -128,24 +130,12 @@ jobs:
128130 COSIGN_PRIVATE_KEY : ${{secrets.COSIGN_PRIVATE_KEY}}
129131 COSIGN_PASSWORD : ${{secrets.COSIGN_PASSWORD}}
130132
131- - name : Generate image SBOM file name
132- id : image-sbom-file-gen
133- run : echo "IMG_SBOM_FILE=${{ format('{0}-{1}-sbom.spdx.json', matrix.path, env.VERSION) }}" >> $GITHUB_OUTPUT
134-
135- - name : SBOM for latest image
136- uses : anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0
137- with :
138- image : ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:${{ env.VERSION }}
139- artifact-name : ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
140- output-file : ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
141-
142133 - name : Bundle release assets
143134 uses : softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
144135 with :
145136 tag_name : ${{ env.TAG }}
146137 files : |
147138 ${{ env.PUBLIC_KEY_FILE }}
148- ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
149139
150140release-go-binaries :
151141 name : Create and publish binaries to GitHub
@@ -211,24 +201,6 @@ jobs:
211201 run : |
212202 env CGO_ENABLED=0 GOOS=windows GOARCH=386 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_windows_i386 ./${{ matrix.path }}/main.go
213203 zip -r ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Windows_i386.zip ./${{ matrix.path }}_windows_i386 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
214- # Bundle licenses
215- - name : Install go-licenses
216- run : go install github.com/google/go-licenses@latest
217- - name : Build license extraction locations
218- id : license-files
219- run : |
220- echo "LICENSE_FOLDER=${{ format('{0}-third-party-license', matrix.path) }}" >> $GITHUB_OUTPUT
221- echo "LICENSE_ERROR_FILE=${{ format('{0}-license-errors.txt', matrix.path) }}" >> $GITHUB_OUTPUT
222- name : Run go-licenses for module ${{ matrix.path }}
223- run : go-licenses save ./${{ matrix.path }} --save_path=./${{ steps.license-files.outputs.LICENSE_FOLDER }} --force --logtostderr=false 2> ./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
224- continue-on-error : true # tool set stderr which can be ignored and referred through error artefact
225- - name : Bundle license extracts
226- run : |
227- if [ -d ./${{ steps.license-files.outputs.LICENSE_FOLDER }} ]; then
228- tar czf ./${{ steps.license-files.outputs.LICENSE_FOLDER }}.tar.gz ./${{ steps.license-files.outputs.LICENSE_FOLDER }}
229- else
230- echo "Directory ./${{ steps.license-files.outputs.LICENSE_FOLDER }} does not exist. Skipping tar creation."
231- fi
232204# Bundle release artifacts
233205 - name : Bundle release assets
234206 uses : softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
@@ -238,7 +210,6 @@ jobs:
238210 ./sbom.xml
239211 ./*.tar.gz
240212 ./*.zip
241- ./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
242213homebrew :
243214 name : Bump homebrew-core formula
244215 needs : release-please
0 commit comments