From c6341074f91f694dcc6851d9fd7f624a27d0d2e1 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 14 Feb 2024 12:58:10 -0800
Subject: [PATCH] Add SBOMs for binaries and archives

This commit adds the goreleaser configuration for creating SBOM files
for binaries and archives. It also upgrades goreleaser-cross to v1.22.
---
 .goreleaser.yml            | 8 ++++++++
 Makefile                   | 2 +-
 docker/build/entrypoint.sh | 5 ++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 8049f24..adc5758 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -147,6 +147,14 @@ nfpms:
         dependencies:
           - pcsc-lite-libs
 
+sboms:
+  - id: archive
+    artifacts: archive
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+  - id: binary
+    artifacts: binary
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
+
 checksum:
   name_template: "checksums.txt"
 
diff --git a/Makefile b/Makefile
index 205d243..e7bacb2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 PKG?=github.com/smallstep/step-kms-plugin
 BINNAME?=step-kms-plugin
-GOLANG_CROSS_VERSION?=v1.21.6
+GOLANG_CROSS_VERSION?=v1.22
 
 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)
diff --git a/docker/build/entrypoint.sh b/docker/build/entrypoint.sh
index e2f13d0..0914b95 100755
--- a/docker/build/entrypoint.sh
+++ b/docker/build/entrypoint.sh
@@ -3,6 +3,9 @@
 set -e
 
 apt update
-apt install --no-install-recommends -y pkg-config libpcsclite-dev libpcsclite-dev:arm64
+apt install --no-install-recommends -y curl pkg-config libpcsclite-dev libpcsclite-dev:arm64
+
+# Install syft
+curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
 exec /entrypoint.sh $@
\ No newline at end of file