Publish Flux Software Bill of Materials (SBOM) in SPDX format

- generate SBOM for Flux Go modules with Syft - publish the SBOM SPDX JSON files to GitHub releases with GoReleaser Signed-off-by: Stefan Prodan <[email protected]>
fluxcd · Jan 14, 2022 · 93401ea · 93401ea
1 parent f38b832
commit 93401ea
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -66,6 +66,12 @@ jobs:
       - name: Archive the OpenAPI JSON schemas
         run: |
           tar -czvf ./output/crd-schemas.tar.gz -C schemas .
+      - name: Setup Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \
+          sh -s -- -b /usr/local/bin v${SYFT_VERSION}
+        env:
+          SYFT_VERSION: "0.35.1"
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v1
         with:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -40,6 +40,8 @@ archives:
     format: zip
     files:
       - none*
+sboms:
+  - artifacts: archive
 brews:
   - name: flux
     tap:
-Original file line number
+Diff line change
@@ Expand Up / @@ -40,6 +40,8 @@ archives: @@
         format: zip
         files:
           - none*
+    sboms:
+      - artifacts: archive
     brews:
       - name: flux
         tap:
@@ Expand Down @@