build: produce an sbom for each binary built (#62)

* remove replacements in .goreleaser.yml Signed-off-by: nscuro <[email protected]> * remove builds for x86 Signed-off-by: nscuro <[email protected]> * generate sbom for each binary built during release Signed-off-by: nscuro <[email protected]> * update cyclonedx-cli to 0.17.2 Signed-off-by: nscuro <[email protected]> Closes #61
CycloneDX · Sep 12, 2021 · d44cc3f · d44cc3f
1 parent b04354b
commit d44cc3f
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 42 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -42,18 +42,11 @@ jobs:
         run: |
           mkdir -p "$HOME/.local/bin"
           echo "$HOME/.local/bin" >> $GITHUB_PATH
-          wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.17.0/cyclonedx-linux-x64
+          wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.17.2/cyclonedx-linux-x64
           chmod +x "$HOME/.local/bin/cyclonedx"
       - name: Checkout Repository
         uses: actions/checkout@v2
       - name: Build
         run: make build
       - name: Test
         run: make test
-      - name: Generate SBOM
-        uses: CycloneDX/[email protected]
-        with:
-          include-stdlib: true
-          json: true
-          resolve-licenses: true
-          version: "^v0"
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -17,14 +17,6 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name: Generate SBOM
-        uses: CycloneDX/[email protected]
-        with:
-          include-stdlib: true
-          json: true
-          output: bom.json
-          resolve-licenses: true
-          version: "^v0"
       - name: Docker login
         uses: docker/login-action@v1
         with:

diff --git a/.gitignore b/.gitignore
@@ -24,4 +24,6 @@ dist/
 
 # SBOMs generated during CI
 /bom.json
+/*.bom.json
 /bom.xml
+/*.bom.xml
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,3 +1,12 @@
+project_name: cyclonedx-gomod
+
+before:
+  hooks:
+    # https://goreleaser.com/customization/build/#go-modules
+    - go mod tidy
+    # Prebuild a binary that'll be used to generate SBOMs later
+    - sh -c "VERSION={{ .Version }} make build"
+
 builds:
   - env:
       - CGO_ENABLED=0
@@ -6,28 +15,31 @@ builds:
       - windows
       - darwin
     goarch:
-      - 386
       - amd64
       - arm64
-    ignore:
-      - goos: darwin
-        goarch: 386
     flags: |
       -trimpath
     ldflags: |
       -s
       -w
       -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version={{ .Tag }}
-    mod_timestamp: '{{ .CommitTimestamp }}'
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    hooks:
+      post:
+        - cmd: ./bin/cyclonedx-gomod app -licenses -json -output "{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
+          env:
+            - GOARCH={{ .Arch }}
+            - GOOS={{ .Os }}
+
 dockers:
   - goos: linux
     goarch: amd64
+    dockerfile: Dockerfile.goreleaser
     image_templates:
       - "cyclonedx/cyclonedx-gomod:latest"
       - "cyclonedx/cyclonedx-gomod:{{ .Tag }}"
       - "cyclonedx/cyclonedx-gomod:v{{ .Major }}"
       - "cyclonedx/cyclonedx-gomod:v{{ .Major }}.{{ .Minor }}"
-    dockerfile: Dockerfile.goreleaser
     build_flag_templates:
       - "--label=org.opencontainers.image.title={{ .ProjectName }}"
       - "--label=org.opencontainers.image.version={{ .Tag }}"
@@ -36,26 +48,21 @@ dockers:
       - "--label=org.opencontainers.image.vendor=CycloneDX"
       - "--label=org.opencontainers.image.url=https://cyclonedx.org"
       - "--label=org.opencontainers.image.source=https://github.com/CycloneDX/cyclonedx-gomod"
-    skip_push: false
+
 archives:
-  - replacements:
-      darwin: macos
-      386: x86
-      amd64: x64
-    format_overrides:
+  - format_overrides:
       - goos: windows
         format: zip
-checksum:
-  name_template: 'checksums.txt'
-snapshot:
-  name_template: "{{ .Tag }}-snapshot"
+
 release:
-  extra_files:
-    - glob: ./bom.json
   prerelease: auto
+  extra_files:
+    - glob: ./*.bom.json
+
 milestones:
   - name_template: "{{ .Tag }}"
     close: true
+
 changelog:
   sort: asc
   filters:

diff --git a/Makefile b/Makefile
@@ -1,12 +1,16 @@
-LDFLAGS="-s -w -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version=v0.0.0-$(shell git show -s --date=format:'%Y%m%d%H%M%S' --format=%cd HEAD)-$(shell git rev-parse HEAD | head -c 12)"
+ifeq ($(VERSION),)
+	VERSION=v0.0.0-$(shell git show -s --date=format:'%Y%m%d%H%M%S' --format=%cd HEAD)-$(shell git rev-parse HEAD | head -c 12)
+endif
+
+LDFLAGS="-s -w -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version=${VERSION}"
 
 build:
 	mkdir -p ./bin
-	go build -v -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod
+	CGO_ENABLED=0 go build -v -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod
 .PHONY: build
 
 install:
-	go install -v -ldflags=${LDFLAGS}
+	CGO_ENABLED=0 go install -v -ldflags=${LDFLAGS}
 .PHONY: install
 
 generate:
@@ -29,11 +33,6 @@ docker:
 	docker build -t cyclonedx/cyclonedx-gomod -f Dockerfile .
 .PHONY: docker
 
-bom: build
-	./bin/cyclonedx-gomod mod -licenses -std -json -output bom.json
-	cyclonedx validate --input-file bom.json --fail-on-errors
-.PHONY: bom
-
 goreleaser-dryrun:
 	goreleaser release --skip-publish --snapshot
 .PHONY: goreleaser-dryrun