From 9fe4f93bc7afd92f9e98749006aab7f0dd45562c Mon Sep 17 00:00:00 2001 From: Mohammed Al Sahaf Date: Tue, 13 Sep 2022 01:59:53 +0300 Subject: [PATCH] supplychain: publish signing cert, sbom, and signatures of sbom (#5027) --- .goreleaser.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index d3de2b70..9369bc48 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -68,12 +68,16 @@ builds: signs: - cmd: cosign signature: "${artifact}.sig" - args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${signature}.pem", "${artifact}"] + certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem' + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${certificate}", "${artifact}"] artifacts: all sboms: - artifacts: binary + # defaults to + # documents: + # - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom" cmd: syft - args: ["$artifact", "--file", "$sbom", "--output", "cyclonedx-json"] + args: ["$artifact", "--file", "${document}", "--output", "cyclonedx-json"] archives: - format_overrides: - goos: windows