feat(goreleaser): support SBOM and ARMv5

The following patch adjusts the Goreleaser configuration to build ARMv5 binaries
as well as container images. It also replaces docker and docker_manifest with
docker_v2.

Goreleaser has also been extended to generate SBOM files in cdx and spdx format.

.goreleaser.yaml

@@ -1,7 +1,17 @@
 project_name: dcmerge
 
 archives:
-- formats: [ "tar.xz" ]
+- id: archives
+  formats:
+  - tar.xz
+  name_template: >-
+    {{ .ProjectName }}-
+    {{- .Version }}-
+    {{- .Os }}-
+    {{- if eq .Arch "amd64" }}amd64
+    {{- else if eq .Arch "amd64_v1" }}amd64
+    {{- else }}{{ .Arch }}{{ end }}
+    {{- if .Arm }}-{{ .Arm }}{{ end }}
   files:
   - README.md
   - LICENSE
@@ -11,15 +21,9 @@ before:
   - go mod tidy
 
 builds:
-- main: main.go
+- id: dcmerge
-  binary: >-
+  main: main.go
-    {{ .ProjectName }}-
+  binary: dcmerge
-    {{- .Version }}-
-    {{- .Os }}-
-    {{- if eq .Arch "amd64" }}amd64
-    {{- else if eq .Arch "amd64_v1" }}amd64
-    {{- else }}{{ .Arch }}{{ end }}
-    {{- if .Arm }}-{{ .Arm }}{{ end }}
   env:
   - CGO_ENABLED=0
   - GONOSUMDB={{ .Env.GONOSUMDB }}
@@ -32,12 +36,15 @@ builds:
   - arm64
   - riscv64
   goarm:
+  - "5"
   - "6"
   - "7"
   flags:
   - -trimpath
+  - -mod=readonly
+  - -modcacherw
   ldflags:
-  - -s -w -X 'main.version={{ trimprefix .Tag "v" }}'
+  - -s -w -X 'main.version={{ .Version }}'
 
 changelog:
   filters:
@@ -61,112 +68,246 @@ changelog:
   sort: asc
   use: git
 
-dockers:
+dockers_v2:
-- build_flag_templates:
+- # ID of the image, needed if you want to filter by it later on (e.g. on custom publishers).
-  - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+  # Default: project name
-  - --label=org.opencontainers.image.description={{ .ProjectName }}
+  id: container-images
-  - --label=org.opencontainers.image.documentation={{ .ProjectName }}
-  - --label=org.opencontainers.image.revision={{ .FullCommit }}
-  - --label=org.opencontainers.image.source={{ .GitURL }}
-  - --label=org.opencontainers.image.title={{ .ProjectName }}
-  - --label=org.opencontainers.image.url=https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}
-  - --label=org.opencontainers.image.version={{ trimprefix .Tag "v" }}
-  - --platform=linux/amd64
-  - --pull
-  dockerfile: Dockerfile
-  goarch: amd64
-  goos: linux
-  image_templates:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-amd64'
-  skip_push: false
-  use: buildx
 
-- build_flag_templates:
+  # Path to the Dockerfile (from the project root).
-  - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+  dockerfile: Dockerfile.scratch
-  - --label=org.opencontainers.image.description={{ .ProjectName }}
-  - --label=org.opencontainers.image.documentation={{ .ProjectName }}
-  - --label=org.opencontainers.image.revision={{ .FullCommit }}
-  - --label=org.opencontainers.image.source={{ .GitURL }}
-  - --label=org.opencontainers.image.title={{ .ProjectName }}
-  - --label=org.opencontainers.image.url=https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}
-  - --label=org.opencontainers.image.version={{ trimprefix .Tag "v" }}
-  - --platform=linux/arm/v6
-  - --pull
-  dockerfile: Dockerfile
-  goarch: arm
-  goarm: "6"
-  goos: linux
-  image_templates:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-arm-v6'
-  skip_push: false
-  use: buildx
 
-- build_flag_templates:
+  # IDs to filter the binaries/packages.
-  - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+  #
-  - --label=org.opencontainers.image.description={{ .ProjectName }}
+  # Make sure to only include the IDs of binaries you want to `COPY` in your
-  - --label=org.opencontainers.image.documentation={{ .ProjectName }}
+  # Dockerfile.
-  - --label=org.opencontainers.image.revision={{ .FullCommit }}
+  #
-  - --label=org.opencontainers.image.source={{ .GitURL }}
+  # If you include IDs that don't exist or are not available for the current
-  - --label=org.opencontainers.image.title={{ .ProjectName }}
+  # architecture being built, the build of the image will be skipped.
-  - --label=org.opencontainers.image.url=https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}
+  ids:
-  - --label=org.opencontainers.image.version={{ trimprefix .Tag "v" }}
+  - dcmerge
-  - --platform=linux/arm/v7
-  - --pull
-  dockerfile: Dockerfile
-  goarch: arm
-  goarm: "7"
-  goos: linux
-  image_templates:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-arm-v7'
-  skip_push: false
-  use: buildx
 
-- build_flag_templates:
+  # Annotations to be added to the image.
-  - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+  annotations:
-  - --label=org.opencontainers.image.description={{ .ProjectName }}
+    org.opencontainers.image.authors: "Volker Raschek"
-  - --label=org.opencontainers.image.documentation={{ .ProjectName }}
+    org.opencontainers.image.created: "{{ .Date }}"
-  - --label=org.opencontainers.image.revision={{ .FullCommit }}
+    org.opencontainers.image.description: "{{ .ProjectName }}"
-  - --label=org.opencontainers.image.source={{ .GitURL }}
+    org.opencontainers.image.documentation: "{{ .ProjectName }}"
-  - --label=org.opencontainers.image.title={{ .ProjectName }}
+    org.opencontainers.image.licenses: "MIT"
-  - --label=org.opencontainers.image.url=https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}
+    org.opencontainers.image.revision: "{{ .FullCommit }}"
-  - --label=org.opencontainers.image.version={{ trimprefix .Tag "v" }}
+    org.opencontainers.image.source: "{{ .GitURL }}"
-  - --platform=linux/arm64
+    org.opencontainers.image.title: "{{ .ProjectName }}"
-  - --pull
+    org.opencontainers.image.url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}"
-  dockerfile: Dockerfile
+    org.opencontainers.image.vendor: "Volker Raschek"
-  goarch: arm64
+    org.opencontainers.image.version: "{{ .Version }}"
-  goos: linux
-  image_templates:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-arm64'
-  skip_push: false
-  use: buildx
 
-- build_flag_templates:
+    io.artifacthub.package.alternative-locations: "docker.io/volkerraschek/{{ .ProjectName }}:{{ .Version }}"
-  - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }}
+    io.artifacthub.package.keywords: "docker,docker-compose,merge,ci"
-  - --label=org.opencontainers.image.description={{ .ProjectName }}
+    io.artifacthub.package.license: "MIT"
-  - --label=org.opencontainers.image.documentation={{ .ProjectName }}
+    io.artifacthub.package.readme-url: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}/raw/tag/v{{ .Version }}/README.md"
-  - --label=org.opencontainers.image.revision={{ .FullCommit }}
-  - --label=org.opencontainers.image.source={{ .GitURL }}
-  - --label=org.opencontainers.image.title={{ .ProjectName }}
-  - --label=org.opencontainers.image.url=https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}
-  - --label=org.opencontainers.image.version={{ trimprefix .Tag "v" }}
-  - --platform=linux/riscv64
-  - --pull
-  dockerfile: Dockerfile
-  goarch: riscv64
-  goos: linux
-  image_templates:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-riscv64'
-  skip_push: false
-  use: buildx
 
-docker_manifests:
+  labels: {}
-- name_template: 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}'
+
-  image_templates:
+  images:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-amd64'
+  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}'
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-arm-v6'
+
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-arm-v7'
+  # Platforms to build.
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-arm64'
+  platforms:
-  - 'git.cryptic.systems/volker.raschek/{{ .ProjectName }}:{{ trimprefix .Tag "v" }}-riscv64'
+  - linux/amd64
+  - linux/arm/v5
+  - linux/arm/v6
+  - linux/arm/v7
+  - linux/arm64
+  - linux/riscv64
+
+  # Whether to create and attach a SBOM to the image.
+  sbom: "{{ not .IsNightly }}"
+
+  # Tag names.
+  #
+  # Empty tags are ignored.
+  tags:
+  - "{{ .Version }}"
+  - "{{ if .IsNightly }}nightly{{ end }}"
+  - "{{ if not .IsNightly }}latest{{ end }}"
+
+# RPM packages
+nfpms:
+- id: nfpms
+  ids:
+  - dcmerge
+  package_name: dcmerge
+  file_name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{- if .Arm }}-{{ .Arm }}{{ end }}"
+  vendor: "Volker Raschek"
+  homepage: "https://git.cryptic.systems/volker.raschek/{{ .ProjectName }}"
+  maintainer: "Volker Raschek <volker.raschek@cryptic.systems>"
+  description: |-
+    dcmerge is a tool to merge docker-compose files from multiple resources.
+    It supports merging local files and remote files via HTTP/HTTPS.
+  license: Apache 2.0
+  formats:
+  - deb
+  - rpm
+  dependencies:
+  - git
+  recommends:
+  - docker-compose
+  suggests:
+  - docker
+  bindir: /usr/bin
+  contents:
+  - src: ./README.md
+    dst: "/usr/share/doc/{{ .ProjectName }}/README.md"
+    file_info:
+      mode: 0644
+  # License
+  - src: ./LICENSE
+    dst: "/usr/share/doc/{{ .ProjectName }}/LICENSE"
+    file_info:
+      mode: 0644
+  - src: ./LICENSE
+    dst: "/usr/share/licenses/{{ .ProjectName }}/LICENSE"
+    file_info:
+      mode: 0644
+  # Create man page directory
+  - dst: /usr/share/man/man1
+    type: dir
+    file_info:
+      mode: 0755
+  rpm:
+    group: Development/Tools
+    summary: Tool to merge docker-compose files from multiple resources
+    compression: xz
+  deb:
+    lintian_overrides:
+    - statically-linked-binary
+    - changelog-file-missing-in-native-package
+
+sboms:
+- # ID of the sbom config, must be unique.
+  #
+  # Default: 'default'.
+  id: sboms-cyclonedx
+
+  # IDs of the artifacts to catalog.
+  #
+  # If `artifacts` is "source" or "any" then this fields has no effect.
+  ids:
+  - dcmerge
+
+  # Which artifacts to catalog.
+  #
+  # Valid options are:
+  # - any:        let the SBOM tool decide which artifacts available in
+  #               the cwd should be cataloged
+  # - source:     source archive
+  # - package:    Linux packages (deb, rpm, apk, etc)
+  # - installer:  Windows MSI installers (Pro only)
+  # - diskimage:  macOS DMG disk images (Pro only)
+  # - archive:    archives from archive pipe
+  # - binary:     binaries output from the build stage
+  #
+  # Default: 'archive'.
+  artifacts: binary
+
+  # List of names of the SBOM documents created at this step
+  # (relative to the dist dir).
+  #
+  # Each element configured is made available as variables. For example:
+  #   documents: ["foo", "bar"]
+  #
+  # would make the following variables that can be referenced as template keys:
+  #   document0: "foo"
+  #   document1: "bar"
+  #
+  # Note that multiple sbom values are only allowed if the value of
+  # "artifacts" is "any".
+  #
+  # Default:
+  #   When "binary":   ["{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom.json"]
+  #   When "any":      []
+  #   Otherwise:       ["{{ .ArtifactName }}.sbom.json"]
+  # Templates: allowed.
+  documents:
+  - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{- if .Arm }}-{{ .Arm }}{{ end }}.cdx.json"
+
+  # Path to the SBOM generator command
+  #
+  # Note: the process CWD will be set to the same location as "dist"
+  #
+  # Default: 'syft'.
+  cmd: syft
+
+  # Command line arguments for the command
+  #
+  # Default: ["$artifact", "--output", "spdx-json=$document", "--enrich", "all"].
+  # Templates: allowed.
+  args:
+  - "$artifact"
+  - "--enrich=all"
+  - "--output=cyclonedx-json=$document"
+
+- # ID of the sbom config, must be unique.
+  #
+  # Default: 'default'.
+  id: sboms-spdx
+
+  # IDs of the artifacts to catalog.
+  #
+  # If `artifacts` is "source" or "any" then this fields has no effect.
+  ids:
+  - dcmerge
+
+  # Which artifacts to catalog.
+  #
+  # Valid options are:
+  # - any:        let the SBOM tool decide which artifacts available in
+  #               the cwd should be cataloged
+  # - source:     source archive
+  # - package:    Linux packages (deb, rpm, apk, etc)
+  # - installer:  Windows MSI installers (Pro only)
+  # - diskimage:  macOS DMG disk images (Pro only)
+  # - archive:    archives from archive pipe
+  # - binary:     binaries output from the build stage
+  #
+  # Default: 'archive'.
+  artifacts: binary
+
+  # List of names of the SBOM documents created at this step
+  # (relative to the dist dir).
+  #
+  # Each element configured is made available as variables. For example:
+  #   documents: ["foo", "bar"]
+  #
+  # would make the following variables that can be referenced as template keys:
+  #   document0: "foo"
+  #   document1: "bar"
+  #
+  # Note that multiple sbom values are only allowed if the value of
+  # "artifacts" is "any".
+  #
+  # Default:
+  #   When "binary":   ["{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom.json"]
+  #   When "any":      []
+  #   Otherwise:       ["{{ .ArtifactName }}.sbom.json"]
+  # Templates: allowed.
+  documents:
+  - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{- if .Arm }}-{{ .Arm }}{{ end }}.spdx.json"
+
+  # Path to the SBOM generator command
+  #
+  # Note: the process CWD will be set to the same location as "dist"
+  #
+  # Default: 'syft'.
+  cmd: syft
+
+  # Command line arguments for the command
+  #
+  # Default: ["$artifact", "--output", "spdx-json=$document", "--enrich", "all"].
+  # Templates: allowed.
+  args:
+  - "$artifact"
+  - "--enrich=all"
+  - "--output=spdx-json=$document"
 
 gitea_urls:
   api: https://git.cryptic.systems/api/v1