Skip to content

Commit 2c0a99d

Browse files
committed
fix: goreleaser config improvements from PR review
- Add explicit syft cmd/args for SBOMs (not just artifacts: archive) - Fix cosign verification command in release header (--bundle not --signature) - Use .sig extension for bundle file (GoReleaser default)
1 parent 1dba57f commit 2c0a99d

1 file changed

Lines changed: 9 additions & 3 deletions

File tree

.goreleaser.yaml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,14 @@ signs:
3636
- "${artifact}"
3737

3838
sboms:
39-
- artifacts: archive
39+
- cmd: syft
40+
artifacts: archive
41+
args:
42+
- "${artifact}"
43+
- --output
44+
- spdx-json=${document}
45+
documents:
46+
- "${artifact}.spdx.json"
4047

4148
changelog:
4249
sort: asc
@@ -77,8 +84,7 @@ release:
7784
To verify the checksums file:
7885
```
7986
cosign verify-blob \
80-
--certificate checksums.txt.cert \
81-
--signature checksums.txt.sig \
87+
--bundle checksums.txt.sig \
8288
--certificate-identity-regexp="https://github.com/thedavidweng/money" \
8389
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
8490
checksums.txt

0 commit comments

Comments
 (0)