.goreleaser.yaml

# This is an example .goreleaser.yml file with some sensible defaults.
# Make sure to check the documentation at https://goreleaser.com
before:
  hooks:
    # You may remove this if you don't use go modules.
    - go mod tidy
builds:
  - env:
      - CGO_ENABLED=0
    goos:
      - linux
      - windows
      - darwin
    goarch:
      - amd64
archives:
  - replacements:
      darwin: Darwin
      linux: Linux
      windows: Windows
      386: i386
      amd64: x86_64
checksum:
  name_template: 'checksums.txt'
snapshot:
  name_template: "{{ incpatch .Version }}-next"
changelog:
  sort: asc
  filters:
    exclude:
      - '^docs:'
      - '^test:'

source:
  enabled: true

gomod:
  proxy: true

dockers:
  - image_templates:
    - 'ghcr.io/goturkiye/goreleaser-supply-chain-example:{{ .Tag }}'
    dockerfile: Dockerfile
    build_flag_templates:
    - "--pull"
    - "--label=org.opencontainers.image.created={{.Date}}"
    - "--label=org.opencontainers.image.name={{.ProjectName}}"
    - "--label=org.opencontainers.image.revision={{.FullCommit}}"
    - "--label=org.opencontainers.image.version={{.Version}}"
    - "--label=org.opencontainers.image.source={{.GitURL}}"

sboms:
  - artifacts: archive
  - id: source
    artifacts: source

signs:
  - cmd: cosign
    env:
      - COSIGN_EXPERIMENTAL=1
    certificate: '${artifact}.pem'
    args:
      - sign-blob
      - '--output-certificate=${certificate}'
      - '--output-signature=${signature}'
      - '${artifact}'
    artifacts: checksum
    output: true

docker_signs:
  - cmd: cosign
    env:
    - COSIGN_EXPERIMENTAL=1
    artifacts: images
    output: true
    args:
    - 'sign'
    - '${artifact}'