Skip to content

Streamline SBOM generation and cosigning#46

Merged
erichs merged 2 commits intomainfrom
fix-release
Dec 17, 2025
Merged

Streamline SBOM generation and cosigning#46
erichs merged 2 commits intomainfrom
fix-release

Conversation

@erichs
Copy link
Owner

@erichs erichs commented Dec 17, 2025

.goreleaser.yaml:

  • Checksums renamed to checksums_linux.txt
  • Removed archive SBOM generation (source SBOM generated in workflow instead)

.github/workflows/release.yml:

  • Install syft dependency
  • goreleaser job generates dashlights__source.sbom.json from source
  • darwin-release uses checksums_darwin.txt (no longer modifies goreleaser output)
  • darwin-release signs checksums_darwin.txt with cosign

.goreleaser.yaml:
- Install syft dependency
- Checksums renamed to checksums_linux.txt
- Removed archive SBOM generation (source SBOM generated in workflow instead)

.github/workflows/release.yml:
- goreleaser job generates dashlights_<version>_source.sbom.json from source
- darwin-release uses checksums_darwin.txt (no longer modifies goreleaser output)
- darwin-release signs checksums_darwin.txt with cosign
Copilot AI review requested due to automatic review settings December 17, 2025 17:47
@codecov-commenter
Copy link

codecov-commenter commented Dec 17, 2025

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.10%. Comparing base (dc5cc85) to head (4c4ecb5).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@            Coverage Diff             @@
##             main      #46      +/-   ##
==========================================
- Coverage   87.14%   87.10%   -0.05%     
==========================================
  Files          46       46              
  Lines        2474     2474              
==========================================
- Hits         2156     2155       -1     
- Misses        218      220       +2     
+ Partials      100       99       -1     
Flag Coverage Δ
unittests 87.10% <ø> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR streamlines the SBOM generation and artifact signing process for releases by generating a source-based SBOM that includes actual Go dependencies, separating platform-specific checksums, and adding cosigning for Darwin artifacts.

  • Replaced archive-based SBOM generation with source-based SBOM generation that captures go.mod dependencies
  • Separated checksums into platform-specific files (checksums_linux.txt and checksums_darwin.txt) instead of maintaining a single merged file
  • Added cosign signing for Darwin checksums using keyless signing with GitHub OIDC identity

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.goreleaser.yaml Renamed checksum file to checksums_linux.txt and removed archive SBOM generation in favor of manual source SBOM generation
.github/workflows/release.yml Added Syft installation and source SBOM generation in goreleaser job; added Cosign installation, checksum signing, and signature upload in darwin-release job

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@erichs erichs merged commit e5739f6 into main Dec 17, 2025
5 checks passed
@erichs erichs deleted the fix-release branch December 17, 2025 18:02
@erichs erichs restored the fix-release branch December 17, 2025 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments