fix: dedupliate cataloging binary artifacts

[wagoodman]

This PR makes the following adjustments:

• primarily restores the capability to reference binary artifacts when sbom[].artifact == binary
• adds the ability to have templates within sbom[].env values
• only prepends dist config value to paths that relative paths (takes no action on absolute paths)
• decomposes templating code further for the SBOM pipe and surround with more testing

Why make this change? primarily to unlock more workflows when generating SBOMs.

Not all tooling can work with encapsulations of go binaries (zip/tar) and instead need access to the binary directly. Since goreleaser manages creating the binary it is possible to expose the original binary to SBOM tooling even though it may be an encapsulation that is attached to a release (e.g. a zip or tar.gz)

Take for example using cyclonedx-gomod app:

#.goreleaser.yaml

archives:
  - format: tar.gz

sboms:
  - documents:
      - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.cdx.sbom"
    artifacts: binary
    cmd: cyclonedx-gomod
    env: 
      - GOOS={{ .Os }}
      - GOARCH={{ .Arch }}
    args: ["app",  "-json", "-output", "$document", "$PWD"]

With artifacts: binary the SBOM tool gets access to the unarchived binary even though archives[0].format = tar.gz and there is no archives[].format = binary set. Additionally this uses goreleaser-sourced variables to seed the correct go-specific environment variables that the tool keys in on.

Relevant links:

• Support additional SBOM files based on CycloneDX: support generating an additional SBOM file based on CycloneDX format #2808
• Removal of binary from the SBOM pipe artifact filter: fix: sbom binary filter #2798

[caarlos0]

LGTM, seems like its missing a go mod tidy though

[caarlos0]

Thanks for the PR, its looking good to me overall!

The only pointers I have are:

• the deduplication thing maybe is something worth moving to artifacts.go
• there is a test failing
• it looks like its missing a go mod tidy

other than that, lgtm!

PS: sorry for the delay reviewing this, was focusing on other things.
Thanks!

[wagoodman]

@caarlos0 no worries -- this one fell off my radar too.

I went ahead and moved the filter function to artifacts.go, fixed the failing tests, rebased + go mod tidied. Should be good to go 👍

[codecov]

Codecov Report

Merging #2839 (dd2ede7) into main (395ee0a) will increase coverage by 0.18%.
The diff coverage is 85.71%.

❗ Current head dd2ede7 differs from pull request most recent head efe1c4f. Consider uploading reports for the commit efe1c4f to get more accurate results

@@            Coverage Diff             @@
##             main    #2839      +/-   ##
==========================================
+ Coverage   84.36%   84.55%   +0.18%     
==========================================
  Files         111      111              
  Lines        8924     8953      +29     
==========================================
+ Hits         7529     7570      +41     
+ Misses       1122     1111      -11     
+ Partials      273      272       -1     

Impacted Files	Coverage Δ
internal/pipe/sbom/sbom.go	85.52% <82.69%> (+0.52%)	⬆️
internal/artifact/artifact.go	98.02% <100.00%> (+0.18%)	⬆️
internal/tmpl/tmpl.go	97.63% <0.00%> (-0.21%)	⬇️
pkg/context/context.go	100.00% <0.00%> (ø)
internal/pipe/aur/aur.go	80.65% <0.00%> (+0.49%)	⬆️
internal/pipe/git/git.go	84.53% <0.00%> (+1.37%)	⬆️
cmd/build.go	97.93% <0.00%> (+6.20%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 395ee0a...efe1c4f. Read the comment docs.

[wagoodman]

@caarlos0 friendly nudge --let me know if there is anything else you'd like changed/checked on this PR.

[caarlos0]

lgtm except the accidental dep downgrade

thanks again for the pr, sorry for the delayed review

[wagoodman]

no worries at all --updated the go.mod/sum.

[caarlos0]

Thanks!