chore(ci): publish sboms

Signed-off-by: Carlos A Becker <caarlos0@gmail.com>

.github/workflows/build.yml

@@ -16,43 +16,27 @@ jobs:
         os: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - uses: actions/setup-go@v2
         with:
           go-version: ${{ matrix.go-version }}
-      -
-        name: Set up Task
-        uses: arduino/setup-task@v1
+      - uses: arduino/setup-task@v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Cache Go modules
-        uses: actions/cache@v2
+      - uses: actions/cache@v2
         with:
           path: |
             ~/go/pkg/mod
             ~/.cache/go-build
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      -
-        name: Setup
-        run: task setup
-      -
-        name: Unit Tests
-        run: task test
-      -
-        name: Diff
-        run: git diff
-      -
-        name: Upload coverage
-        uses: codecov/codecov-action@v2
+      - run: task setup
+      - run: task test
+      - run: git diff
+      - uses: codecov/codecov-action@v2
         if: matrix.os == 'ubuntu-latest'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -68,43 +52,27 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
       NO_TEST_PPC64LE: "true"
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - uses: actions/setup-go@v2
         with:
           go-version: ${{ matrix.go-version }}
-      -
-        name: Set up Task
-        uses: arduino/setup-task@v1
+      - uses: arduino/setup-task@v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Cache Go modules
-        uses: actions/cache@v2
+      - uses: actions/cache@v2
         with:
           path: |
             ~/go/pkg/mod
             ~/.cache/go-build
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Setup
-        run: task setup
-      -
-        name: Acceptance
-        run: TEST_PATTERN=/${{ matrix.pkgFormat }}/${{ matrix.pkgPlatform }}/ task acceptance
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+      - run: task setup
+      - run: TEST_PATTERN=/${{ matrix.pkgFormat }}/${{ matrix.pkgPlatform }}/ task acceptance
   goreleaser:
     strategy:
       matrix:
@@ -119,64 +87,41 @@ jobs:
       id-token: write
       packages: write
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - uses: actions/setup-go@v2
         with:
           go-version: ${{ matrix.go-version }}
-      -
-        name: Set up Task
-        uses: arduino/setup-task@v1
+      - uses: arduino/setup-task@v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Cache Go modules
-        uses: actions/cache@v2
+      - uses: actions/cache@v2
         with:
           path: |
             ~/go/pkg/mod
             ~/.cache/go-build
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      -
-        name: Setup Sigstore
-        uses: sigstore/cosign-installer@v1.4.1
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      -
-        name: Setup
-        run: task setup
-      -
-        name: Build
-        run: task build
-      -
-        name: Login to Docker Hub
+      - uses: sigstore/cosign-installer@v1.4.1
+      - uses: anchore/sbom-action/download-syft@v0.6.0
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+      - run: task setup
+      - run: task build
+      - uses: docker/login-action@v1
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      -
-        name: Login to GitHub Container Registry
+      - uses: docker/login-action@v1
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: docker/login-action@v1
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+      - uses: goreleaser/goreleaser-action@v2
         if: success()
         with:
           version: latest

.goreleaser.yml

@@ -142,6 +142,8 @@ nfpms:
 furies:
   - account: goreleaser
 
+sboms:
+- artifacts: archive
 signs:
 - cmd: cosign
   env:
@@ -151,7 +153,6 @@ signs:
   artifacts: checksum
   args:
     - sign-blob
-    - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
     - '--output-certificate=${certificate}'
     - '--output-signature=${signature}'
     - '${artifact}'
@@ -163,7 +164,6 @@ docker_signs:
   output: true
   args:
   - 'sign'
-  - '--oidc-issuer={{if index .Env "CI"}}https://token.actions.githubusercontent.com{{else}}https://oauth2.sigstore.dev/auth{{end}}'
   - '${artifact}'
 
 changelog: