Add SBOMs for binaries and archives

This commit adds the goreleaser configuration for creating SBOM files for binaries and archives. It also upgrades goreleaser-cross to v1.22.
smallstep · Feb 14, 2024 · c634107 · c634107
1 parent cea887f
commit c634107
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -147,6 +147,14 @@ nfpms:
         dependencies:
           - pcsc-lite-libs
 
+sboms:
+  - id: archive
+    artifacts: archive
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+  - id: binary
+    artifacts: binary
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+
 checksum:
   name_template: "checksums.txt"
 

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 PKG?=github.com/smallstep/step-kms-plugin
 BINNAME?=step-kms-plugin
-GOLANG_CROSS_VERSION?=v1.21.6
+GOLANG_CROSS_VERSION?=v1.22
 
 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)

diff --git a/docker/build/entrypoint.sh b/docker/build/entrypoint.sh
@@ -3,6 +3,9 @@
 set -e
 
 apt update
-apt install --no-install-recommends -y pkg-config libpcsclite-dev libpcsclite-dev:arm64
+apt install --no-install-recommends -y curl pkg-config libpcsclite-dev libpcsclite-dev:arm64
+
+# Install syft
+curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
 exec /entrypoint.sh $@