Add SBOM generation and checksums signing to release (#55)

* chore: update release strategy to include brew Signed-off-by: Christopher Phillips <[email protected]> * chore: add cosign for checksum signatures Signed-off-by: Christopher Phillips <[email protected]> * fix sbom generation Signed-off-by: Alex Goodman <[email protected]> --------- Signed-off-by: Christopher Phillips <[email protected]> Signed-off-by: Alex Goodman <[email protected]> Co-authored-by: Alex Goodman <[email protected]>
anchore · Apr 25, 2024 · 1776554 · 1776554
1 parent 93bffd5
commit 1776554
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 7 deletions.
diff --git a/.binny.yaml b/.binny.yaml
@@ -12,6 +12,7 @@ tools:
         - -X main.gitDescription={{ .Version }}
         # note: sprig functions are available: http://masterminds.github.io/sprig/
         - -X main.buildDate={{ now | date "2006-01-02T15:04:05Z07:00" }}
+
   - name: binny
     version:
       want: v0.6.2
@@ -54,9 +55,17 @@ tools:
     with:
       repo: charmbracelet/glow
 
+  # used for signing the checksums file at release
+  - name: cosign
+    version:
+      want: v2.2.4
+    method: github-release
+    with:
+      repo: sigstore/cosign
+
   - name: goreleaser
     version:
-      want: v1.21.1
+      want: v1.25.1
     method: github-release
     with:
       repo: goreleaser/goreleaser
@@ -70,7 +79,7 @@ tools:
 
   - name: bouncer
     version:
-      want: v0.1.0
+      want: v0.4.0
     method: github-release
     with:
       repo: wagoodman/go-bouncer
@@ -84,7 +93,7 @@ tools:
 
   - name: syft
     version:
-      want: v0.95.0
+      want: v1.2.0
     method: github-release
     with:
-      repo: anchore/syft
+      repo: anchore/syft
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -47,8 +47,8 @@ jobs:
     permissions:
       contents: write
       packages: write
-      issues: read
-      pull-requests: read
+      # required for goreleaser signs section with cosign
+      id-token: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -3,6 +3,7 @@ release:
   draft: false
 
 env:
+  # required to support multi architecture docker builds
   - CGO_ENABLED=0
 
 builds:
@@ -35,6 +36,11 @@ builds:
       - arm64
     mod_timestamp: *build-timestamp
     ldflags: *build-ldflags
+    hooks:
+      post:
+        - cmd: .tool/quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv
+          env:
+            - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log
 
 archives:
   - id: linux-archives
@@ -43,3 +49,49 @@ archives:
   - id: darwin-archives
     builds:
       - darwin-build
+
+nfpms:
+  - license: "Apache 2.0"
+    maintainer: "Anchore, Inc"
+    homepage: &website "https://github.com/anchore/grant"
+    description: &description "A tool consumes SBOMS and details license information"
+    formats:
+      - rpm
+      - deb
+
+brews:
+  - tap:
+      owner: anchore
+      name: homebrew-grant
+      token: "{{.Env.GITHUB_BREW_TOKEN}}"
+    ids:
+      - darwin-archives
+      - linux-archives
+    homepage: *website
+    description: *description
+    license: "Apache License 2.0"
+
+sboms:
+  - artifacts: archive
+    # this is relative to the snapshot/dist directory, not the root of the repo
+    cmd: ../.tool/syft
+    documents:
+      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom"
+    args:
+      - "scan"
+      - "$artifact"
+      - "--output"
+      - "json=$document"
+
+signs:
+  - cmd: .tool/cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args:
+      - "sign-blob"
+      - "--oidc-issuer=https://token.actions.githubusercontent.com"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -56,6 +56,7 @@ tasks:
       - "{{ .TOOL_DIR }}/chronicle"
       - "{{ .TOOL_DIR }}/glow"
       - "{{ .TOOL_DIR }}/goreleaser"
+      - "{{ .TOOL_DIR }}/bouncer"
     status:
       - "{{ .TOOL_DIR }}/binny check -v"
     cmd: "{{ .TOOL_DIR }}/binny install -v"
@@ -141,7 +142,7 @@ tasks:
       - cmd: "mkdir -p {{ .TMP_DIR }}"
         silent: true
       - cmd: |
-          cat .goreleaser.yaml >> {{ .TMP_DIR }}/goreleaser.yaml
+          cat .goreleaser.yaml > {{ .TMP_DIR }}/goreleaser.yaml
           echo "dist: {{ .SNAPSHOT_DIR }}" >> {{ .TMP_DIR }}/goreleaser.yaml
       - cmd: "{{ .TOOL_DIR }}/goreleaser release --clean --skip=publish --skip=sign --snapshot --config {{ .TMP_DIR }}/goreleaser.yaml"