@@ -48,5 +48,60 @@ checksum:
4848release :
4949 prerelease : auto
5050
51+ sboms :
52+ - # ID of the sbom config, must be unique.
53+ #
54+ # Default: 'default'.
55+ id : sboms
56+
57+ # List of names of the SBOM documents created at this step
58+ # (relative to the dist dir).
59+ #
60+ # Each element configured is made available as variables. For example:
61+ # documents: ["foo", "bar"]
62+ #
63+ # would make the following variables that can be referenced as template keys:
64+ # document0: "foo"
65+ # document1: "bar"
66+ #
67+ # Note that multiple sbom values are only allowed if the value of
68+ # "artifacts" is "any".
69+ #
70+ # Default:
71+ # When "binary": ["{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom.json"]
72+ # When "any": []
73+ # Otherwise: ["{{ .ArtifactName }}.sbom.json"]
74+ # Templates: allowed.
75+ documents :
76+ - " ${artifact}.spdx.json"
77+
78+ # Path to the SBOM generator command
79+ #
80+ # Note: the process CWD will be set to the same location as "dist"
81+ #
82+ # Default: 'syft'.
83+ cmd : syft
84+
85+ # Command line arguments for the command
86+ #
87+ # Default: ["$artifact", "--output", "spdx-json=$document", "--enrich", "all"].
88+ # Templates: allowed.
89+ # args: ["$artifact", "--output", "cyclonedx-json=$document"]
90+
91+ # Which artifacts to catalog.
92+ #
93+ # Valid options are:
94+ # - any: let the SBOM tool decide which artifacts available in
95+ # the cwd should be cataloged
96+ # - source: source archive
97+ # - package: Linux packages (deb, rpm, apk, etc)
98+ # - installer: Windows MSI installers (Pro only)
99+ # - diskimage: macOS DMG disk images (Pro only)
100+ # - archive: archives from archive pipe
101+ # - binary: binaries output from the build stage
102+ #
103+ # Default: 'archive'.
104+ artifacts : archive
105+
51106universal_binaries :
52107 - replace : true
0 commit comments