New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: dedupliate cataloging binary artifacts #2839
fix: dedupliate cataloging binary artifacts #2839
Conversation
0e4178d
to
1ff7067
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, seems like its missing a go mod tidy though
Thanks for the PR, its looking good to me overall! The only pointers I have are:
other than that, lgtm! PS: sorry for the delay reviewing this, was focusing on other things. |
1ff7067
to
9395e02
Compare
@caarlos0 no worries -- this one fell off my radar too. I went ahead and moved the filter function to |
Codecov Report
@@ Coverage Diff @@
## main #2839 +/- ##
==========================================
+ Coverage 84.36% 84.55% +0.18%
==========================================
Files 111 111
Lines 8924 8953 +29
==========================================
+ Hits 7529 7570 +41
+ Misses 1122 1111 -11
+ Partials 273 272 -1
Continue to review full report at Codecov.
|
965129e
to
028679b
Compare
649a7b3
to
9b25e49
Compare
@caarlos0 friendly nudge --let me know if there is anything else you'd like changed/checked on this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm except the accidental dep downgrade
thanks again for the pr, sorry for the delayed review
9b25e49
to
ac8a13f
Compare
ac8a13f
to
efe1c4f
Compare
no worries at all --updated the go.mod/sum. |
Thanks! |
For some reason the set lib was trowing an int overflow error on snapshot when there are no binary artifacts to sign. Refs #2839 See https://github.com/goreleaser/goreleaser/runs/5334854323?check_suite_focus=true#step:21:50 Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
For some reason the set lib was trowing an int overflow error on snapshot when there are no binary artifacts to sign. Refs #2839 See https://github.com/goreleaser/goreleaser/runs/5334854323?check_suite_focus=true#step:21:50 Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
This PR makes the following adjustments:
sbom[].artifact == binary
sbom[].env
valuesdist
config value to paths that relative paths (takes no action on absolute paths)Why make this change? primarily to unlock more workflows when generating SBOMs.
Not all tooling can work with encapsulations of go binaries (zip/tar) and instead need access to the binary directly. Since goreleaser manages creating the binary it is possible to expose the original binary to SBOM tooling even though it may be an encapsulation that is attached to a release (e.g. a zip or tar.gz)
Take for example using
cyclonedx-gomod app
:With
artifacts: binary
the SBOM tool gets access to the unarchived binary even thougharchives[0].format = tar.gz
and there is noarchives[].format = binary
set. Additionally this uses goreleaser-sourced variables to seed the correct go-specific environment variables that the tool keys in on.Relevant links: