From 9fe4f93bc7afd92f9e98749006aab7f0dd45562c Mon Sep 17 00:00:00 2001
From: Mohammed Al Sahaf <msaa1990@gmail.com>
Date: Tue, 13 Sep 2022 01:59:53 +0300
Subject: supplychain: publish signing cert, sbom, and signatures of sbom
 (#5027)

---
 .goreleaser.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to '.goreleaser.yml')

diff --git a/.goreleaser.yml b/.goreleaser.yml
index d3de2b7..9369bc4 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -68,12 +68,16 @@ builds:
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${signature}.pem", "${artifact}"]
+    certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem'
+    args: ["sign-blob", "--output-signature=${signature}", "--output-certificate", "${certificate}", "${artifact}"]
     artifacts: all
 sboms:
   - artifacts: binary
+    # defaults to
+    # documents:
+    # - "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom"
     cmd: syft
-    args: ["$artifact", "--file", "$sbom", "--output", "cyclonedx-json"]
+    args: ["$artifact", "--file", "${document}", "--output", "cyclonedx-json"]
 archives:
   - format_overrides:
       - goos: windows
-- 
cgit v1.2.3