{"id":22585142,"url":"https://github.com/goreleaser/example-supply-chain","last_synced_at":"2026-04-19T01:18:31.330Z","repository":{"id":38195245,"uuid":"440961117","full_name":"goreleaser/example-supply-chain","owner":"goreleaser","description":"Example goreleaser + github actions config with keyless signing and SBOM generation","archived":false,"fork":false,"pushed_at":"2024-11-22T08:23:33.000Z","size":114,"stargazers_count":54,"open_issues_count":1,"forks_count":11,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-12-05T10:29:19.591Z","etag":null,"topics":["cosign","go","golang","goreleaser","sbom","signing","sigstore","software-bill-of-materials","supply-chain","syft"],"latest_commit_sha":null,"homepage":"https://goreleaser.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/goreleaser.png","metadata":{"funding":{"github":["caarlos0"],"open_collective":"goreleaser","custom":["https://goreleaser.com/pro"]},"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-22T19:17:33.000Z","updated_at":"2024-12-03T01:49:01.000Z","dependencies_parsed_at":"2023-12-24T16:02:09.030Z","dependency_job_id":"85a3c6d2-795f-4387-a8ee-4369ae51eeb5","html_url":"https://github.com/goreleaser/example-supply-chain","commit_stats":{"total_commits":105,"total_committers":4,"mean_commits":26.25,"dds":0.3047619047619048,"last_synced_commit":"8311bc0749e0a45c715f3b1591e970fa2065ef1c"},"previous_names":["goreleaser/supply-chain-example","goreleaser/example-supply-chain"],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goreleaser%2Fexample-supply-chain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goreleaser%2Fexample-supply-chain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goreleaser%2Fexample-supply-chain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goreleaser%2Fexample-supply-chain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/goreleaser","download_url":"https://codeload.github.com/goreleaser/example-supply-chain/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247585335,"owners_count":20962333,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosign","go","golang","goreleaser","sbom","signing","sigstore","software-bill-of-materials","supply-chain","syft"],"created_at":"2024-12-08T07:02:48.531Z","updated_at":"2026-04-19T01:18:31.316Z","avatar_url":"https://github.com/goreleaser.png","language":"Go","funding_links":["https://github.com/sponsors/caarlos0","https://opencollective.com/goreleaser","https://goreleaser.com/pro"],"categories":["Talks, articles, media coverage and other reading"],"sub_categories":["Getting started and staying fresh"],"readme":"# supply-chain-example\n\nGoReleaser + Go Mod proxying + Cosign keyless signing + Syft SBOM generation example.\n\n## How it works\n\nGoReleaser manages the entire thing, basically.\n\nIt will:\n\n- build using the Go Mod Proxy as source of truth\n- call `syft` to create the SBOMs\n- create the checksum file\n- sign it with `cosign`\n- create a docker image using the binary it just built (thus, the binary inside the docker image is the same as the one released)\n- sign the docker image with `cosign` as well\n\n## Verifying\n\nYour users will need to know how to verify the artifacts, and this is what this\nsection is all about.\n\nThe first thing we need to do, is get the current latest version:\n\n```bash\nexport VERSION=\"$(gh release list -L 1 -R goreleaser/example-supply-chain --json=tagName -q '.[] | .tagName')\"\n```\n\nThen, we download the `checksums.txt` and the signature bundle\n(`checksums.txt.sigstore.json`) files, and then verify them:\n\n```bash\nwget https://github.com/goreleaser/example-supply-chain/releases/download/$VERSION/checksums.txt\nwget https://github.com/goreleaser/example-supply-chain/releases/download/$VERSION/checksums.txt.sigstore.json\ncosign verify-blob \\\n    --certificate-identity \"https://github.com/goreleaser/example-supply-chain/.github/workflows/release.yml@refs/tags/$VERSION\" \\\n    --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\\n    --bundle \"checksums.txt.sigstore.json\" \\\n    ./checksums.txt\n```\n\nThis should succeed - which means that we can from now on verify any artifact\nfrom the release with this checksum file!\n\nYou can then download any file you want from the release, and verify it with, for example:\n\n```bash\nwget \"https://github.com/goreleaser/example-supply-chain/releases/download/$VERSION/supply-chain-example_linux_amd64.tar.gz\"\nsha256sum --ignore-missing -c checksums.txt\n```\n\nWhich should, ideally, say \"OK\".\n\nYou can then inspect the SBOM file to see the entire dependency tree of the\nbinary, check for vulnerable dependencies and whatnot.\n\nTo get the SBOM of an artifact, you can use the same download URL, adding\n`.sbom.json` to the end of the URL, and we can then check it out with `grype`:\n\n```bash\nwget \"https://github.com/goreleaser/example-supply-chain/releases/download/$VERSION/supply-chain-example_linux_amd64.tar.gz.sbom.json\"\nsha256sum --ignore-missing -c checksums.txt\ngrype sbom:supply-chain-example_linux_amd64.tar.gz.sbom.json\n```\n\nFinally, we can also use the `gh` CLI to verify the attestations:\n\n```bash\ngh attestation verify \\\n  --owner goreleaser \\\n  *.tar.gz\n```\n\nDocker images are a bit simpler, you can verify them with cosign\nand grype directly, and check the attestations as well.\n\nSignature:\n\n```bash\ncosign verify \\\n  --certificate-identity \"https://github.com/goreleaser/example-supply-chain/.github/workflows/release.yml@refs/tags/$VERSION\" \\\n  --certificate-oidc-issuer \"https://token.actions.githubusercontent.com\" \\\n  \"ghcr.io/goreleaser/example-supply-chain:$VERSION\"\n```\n\nVulnerabilities:\n\n```bash\ngrype \"docker:ghcr.io/goreleaser/example-supply-chain:$VERSION\"\n```\n\nAttestations:\n\n```bash\ngh attestation verify \\\n  --owner goreleaser \\\n  \"oci://ghcr.io/goreleaser/example-supply-chain:$VERSION\"\n```\n\nIf all these checks are OK, you have a pretty good indication that everything\nis good.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoreleaser%2Fexample-supply-chain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoreleaser%2Fexample-supply-chain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoreleaser%2Fexample-supply-chain/lists"}