fix(release): use syft for SBOM generation in goreleaser#9
Merged
Conversation
Local snapshot run revealed two issues with the 26.08 release pipeline: 1. cyclonedx-gomod can only inspect Go module source trees, not compiled archives, so goreleaser's per-archive SBOM step failed with "not a go module". 2. The pre-archive SBOM hook created dist/ before goreleaser was ready, which then refused to start. Switch to syft via goreleaser's native sboms: section. syft inspects the embedded Go BuildInfo of each binary inside the archive, produces a CycloneDX JSON document, and emits it alongside the archive. Verified end-to-end with `goreleaser release --snapshot --clean --skip=sign`: 6 archives (linux/darwin/windows × amd64/arm64) each paired with a *.cyclonedx.json SBOM, checksums.txt, and the extracted agent binary reports its version from the ldflags injection. Also pulls direct deps (otel, modernc/sqlite, bubbletea, testify) out of go.mod's indirect block — go mod tidy ran as part of the goreleaser before-hook and surfaced the existing drift. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pre-tag-cutting validation surfaced two bugs in the 26.08 release pipeline:
cyclonedx-gomodcan only inspect Go module source trees, not compiled archives — goreleaser's per-archive SBOM step failed with `not a go module`.Switch to syft via goreleaser's native `sboms:` section. syft inspects the embedded Go BuildInfo of each binary inside the archive and emits a CycloneDX JSON document alongside it.
Verification
```
$ goreleaser release --snapshot --clean --skip=sign
…
• release succeeded after 11s
$ ls dist/*.cyclonedx.json | wc -l
6
$ /tmp/relsmoke/agent -version
agent 0.0.1-dev
```
Six archives (linux/darwin/windows × amd64/arm64), six matching SBOMs, checksums, working binary with ldflags-injected version.
🤖 Generated with Claude Code