How to add a generated SBOM to the archives?

[jamietanna]

When not specifying the archives, an SBOM does not get uploaded to the

For example (via):

project_name: example
builds:
  - env: [CGO_ENABLED=0]
    goos:
      - linux
      - windows
      - darwin
    goarch:
      - amd64
      - arm64
gitlab_urls:
  use_package_registry: true
sboms:
  - artifacts: archive

This uploads the SBOMs to the release.

However, when we specify archives, the SBOMs are no longer uploaded, via:

project_name: example
builds:
  - env: [CGO_ENABLED=0]
    goos:
      - linux
      - windows
      - darwin
    goarch:
      - amd64
      - arm64
archives:
  - format: tar.gz
    builds:
      - default
gitlab_urls:
  use_package_registry: true
sboms:
  - artifacts: archive

We can see that SBOMs are no longer present in the release.

Edit: this may be mis-configuration as I don't see anything in there.

Alternatively, see https://gitlab.com/tanna.dev/dependency-management-data/-/releases/v0.52.5 and https://gitlab.com/tanna.dev/dependency-management-data/-/blob/v0.52.5/.goreleaser.yaml

[caarlos0]

if you remove the build: [default] from archives it'll work I think.

this is one more thing that could be improved in #4407

that said, sboms are created after the archives, so they can't be included in them

[jamietanna]

So sboms[].ids should contain all the archives[].ids? I feel I've done that in https://gitlab.com/tanna.dev/dependency-management-data/-/releases/v0.52.8 but no dice

[caarlos0]

your sbom config is wrong... its not writing any files, thus they're not being added to the release.

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 649a32d..d173783 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -8,22 +8,22 @@ archives:
     name_template: "dmd_{{ .Os }}_{{ .Arch }}"
     wrap_in_directory: false
 builds:
-- binary: dmd
-  flags:
-    - -trimpath
-  id: dmd
-  ignore:
-    - goarch: "386"
-      goos: windows
-  main: ./cmd/dmd
-- binary: dmd-web
-  flags:
-    - -trimpath
-  id: dmd-web
-  ignore:
-    - goarch: "386"
-      goos: windows
-  main: ./cmd/dmd-web
+  - binary: dmd
+    flags:
+      - -trimpath
+    id: dmd
+    ignore:
+      - goarch: "386"
+        goos: windows
+    main: ./cmd/dmd
+  - binary: dmd-web
+    flags:
+      - -trimpath
+    id: dmd-web
+    ignore:
+      - goarch: "386"
+        goos: windows
+    main: ./cmd/dmd-web
 changelog:
   sort: asc
 sboms:
@@ -34,7 +34,7 @@ sboms:
       - wo/version
     documents:
       - "${artifact}.spdx.json"
-    args: ["$artifact", "--file", "$sbom", "--output", "spdx-json"]
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
   - id: cyclonedx
     artifacts: archive
     ids:
@@ -42,11 +42,11 @@ sboms:
       - wo/version
     documents:
       - "${artifact}.cyclonedx.json"
-    args: ["$artifact", "--file", "$sbom", "--output", "cyclonedx-json"]
+    args: ["$artifact", "--output", "cyclonedx-json=$document"]
 checksum:
-  name_template: 'checksums.txt'
+  name_template: "checksums.txt"
 env:
-- CGO_ENABLED=0
+  - CGO_ENABLED=0
 gitlab_urls:
   use_package_registry: true
 snapshot:

[caarlos0]

also made some improvements to prevent this #4430

[jamietanna]

Thank you, the args was the last thing 👏

To confirm, the final .goreleaser.yaml I needed, on v1.20.0 was:

archives:
  - format: zip
    id: w/version
    name_template: "dmd_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    wrap_in_directory: false
  - format: zip
    id: wo/version
    name_template: "dmd_{{ .Os }}_{{ .Arch }}"
    wrap_in_directory: false
builds:
- binary: dmd
  flags:
    - -trimpath
  id: dmd
  ignore:
    - goarch: "386"
      goos: windows
  main: ./cmd/dmd
- binary: dmd-web
  flags:
    - -trimpath
  id: dmd-web
  ignore:
    - goarch: "386"
      goos: windows
  main: ./cmd/dmd-web
changelog:
  sort: asc
sboms:
  - id: spdx
    artifacts: archive
    ids:
      - w/version
      - wo/version
    documents:
      - "${artifact}.spdx.json"
    args: ["$artifact", "--output", "spdx-json=$document"]
  - id: cyclonedx
    artifacts: archive
    ids:
      - w/version
      - wo/version
    documents:
      - "${artifact}.cyclonedx.json"
    args: ["$artifact", "--output", "cyclonedx-json=$document"]
checksum:
  name_template: 'checksums.txt'
env:
- CGO_ENABLED=0
gitlab_urls:
  use_package_registry: true
snapshot:
  name_template: "{{ incpatch .Version }}-next"
archives:
  - format: zip
    id: w/version
    name_template: "dmd_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    wrap_in_directory: false
  - format: zip
    id: wo/version
    name_template: "dmd_{{ .Os }}_{{ .Arch }}"
    wrap_in_directory: false
builds:
- binary: dmd
  flags:
    - -trimpath
  id: dmd
  ignore:
    - goarch: "386"
      goos: windows
  main: ./cmd/dmd
- binary: dmd-web
  flags:
    - -trimpath
  id: dmd-web
  ignore:
    - goarch: "386"
      goos: windows
  main: ./cmd/dmd-web
changelog:
  sort: asc
sboms:
  - id: spdx
    artifacts: archive
    ids:
      - w/version
      - wo/version
    documents:
      - "${artifact}.spdx.json"
    args: ["$artifact", "--output", "spdx-json=$document"]
  - id: cyclonedx
    artifacts: archive
    ids:
      - w/version
      - wo/version
    documents:
      - "${artifact}.cyclonedx.json"
    args: ["$artifact", "--output", "cyclonedx-json=$document"]
checksum:
  name_template: 'checksums.txt'
env:
- CGO_ENABLED=0
gitlab_urls:
  use_package_registry: true
snapshot:
  name_template: "{{ incpatch .Version }}-next"