docs: update docs for new *.sbom.json artifact names

janfuhrer · May 29, 2024 · 2d73c59 · 2d73c59
1 parent aa81711
commit 2d73c59
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 10 deletions.
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -75,7 +75,7 @@ The release workflow includes multiple jobs to create a release of the project.
 ### Go Release
 
 This repository uses [goreleaser](https://goreleaser.com/) to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file [.goreleaser.yml](./../../.goreleaser.yml).
-For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)).
+For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom.json`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)).
 
 ### Container Release
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,6 +32,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
           check-latest: true
+          cache: false
       - name: Install Syft
         uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
       - name: Install Cosign
@@ -40,7 +41,7 @@ jobs:
         id: goreleaser
         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
         with:
-          version: latest
+          version: '~> v1'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -72,6 +73,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
           check-latest: true
+          cache: false
       - name: Install Cosign
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
       - name: Publish podsalsa

diff --git a/SECURITY.md b/SECURITY.md
@@ -40,7 +40,7 @@ cat multiple.intoto.jsonl | jq -r '.payload' | base64 -d | jq
 
 ### Verify provenance of release artifacts
 
-To verify the release artifacts (go binaries and SBOMs) you can use the `slsa-verifier`. This verification works for all release artifcats (`*.tar.gz`, `*.zip`, `*.sbom`).
+To verify the release artifacts (go binaries and SBOMs) you can use the `slsa-verifier`. This verification works for all release artifcats (`*.tar.gz`, `*.zip`, `*.sbom.json`).
 
 ```bash
 # example for the "podsalsa-darwin-amd64.tar.gz" artifact
@@ -191,7 +191,7 @@ The Software Bill of Materials (SBOM) is generated in CycloneDX JSON format for
 
 #### Go binary archives
 
-The SBOMs of the Go binary archives are provided in the `*.tar.gz.sbom` files of the release and can be verified using the `slsa-verifier` (see [Verify the provenance of release artifacts](#verify-provenance-of-release-artifacts)).
+The SBOMs of the Go binary archives are provided in the `*.tar.gz.sbom.json` files of the release and can be verified using the `slsa-verifier` (see [Verify the provenance of release artifacts](#verify-provenance-of-release-artifacts)).
 
 #### Container images
 

diff --git a/docs/component-analysis/dependency-track/manual-sbom-import.md b/docs/component-analysis/dependency-track/manual-sbom-import.md
@@ -57,10 +57,10 @@ If we do this for multiple versions, we can upload them in a loop:
 ```bash
 export HOST=http://localhost:8081
 
-for ARTIFACT in *.sbom; do \
+for ARTIFACT in *.sbom.json; do \
     echo -e "\n--Uploading $ARTIFACT"; \
-    PROJECT_VERSION="$(echo $ARTIFACT | sed -n 's/^.*-\(v[0-9]*\.[0-9]*\.[0-9]*\)\.sbom$/\1/p')" && \
-    PROJECT_NAME="$(echo $ARTIFACT | sed -n 's/\(.*\)-v[0-9]*\.[0-9]*\.[0-9]*.sbom$/\1/p')" && \
+    PROJECT_VERSION="$(echo $ARTIFACT | sed -n 's/^.*-\(v[0-9]*\.[0-9]*\.[0-9]*\)\.sbom\.json$/\1/p')" && \
+    PROJECT_NAME="$(echo $ARTIFACT | sed -n 's/\(.*\)-v[0-9]*\.[0-9]*\.[0-9]*.sbom\.json$/\1/p')" && \
     curl -X "POST" "$HOST/api/v1/bom" \
     -H 'Content-Type: multipart/form-data' \
     -H "X-API-Key: $API_TOKEN" \
@@ -115,10 +115,10 @@ We can now loop the SBOMs back into the dependency track:
 # upload sbom to dependency-track
 export HOST=http://localhost:8081
 
-for ARTIFACT in *.sbom; do \
+for ARTIFACT in *.sbom.json; do \
     echo -e "\n--Uploading $ARTIFACT"; \
-    PROJECT_VERSION="$(echo $ARTIFACT | sed -n 's/^.*-\(v[0-9]*\.[0-9]*\.[0-9]*\)\.sbom$/\1/p')" && \
-    PROJECT_NAME="$(echo $ARTIFACT | sed -n 's/\(.*\)-v[0-9]*\.[0-9]*\.[0-9]*.sbom$/\1/p')" && \
+    PROJECT_VERSION="$(echo $ARTIFACT | sed -n 's/^.*-\(v[0-9]*\.[0-9]*\.[0-9]*\)\.sbom\.json$/\1/p')" && \
+    PROJECT_NAME="$(echo $ARTIFACT | sed -n 's/\(.*\)-v[0-9]*\.[0-9]*\.[0-9]*.sbom\.json$/\1/p')" && \
     curl -X "POST" "$HOST/api/v1/bom" \
     -H 'Content-Type: multipart/form-data' \
     -H "X-API-Key: $API_TOKEN" \