project_name: source-controller

builds:
  - skip: true

release:
  extra_files:
    - glob: config/release/*.yaml
  prerelease: "auto"
  header: |
    ## Changelog

    [{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md)
  footer: |
    ## Container images
    
    - `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
    - `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
    
    Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.
    
    The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
    To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).

changelog:
  skip: true

checksum:
  extra_files:
    - glob: config/release/*.yaml

source:
  enabled: true
  name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"

sboms:
  - id: source
    artifacts: source
    documents:
      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"

# signs the checksum file
# all files (including the sboms) are included in the checksum
# https://goreleaser.com/customization/sign
signs:
  - cmd: cosign
    env:
      - COSIGN_EXPERIMENTAL=1
    certificate: "${artifact}.pem"
    args:
      - sign-blob
      - "--yes"
      - "--output-certificate=${certificate}"
      - "--output-signature=${signature}"
      - "${artifact}"
    artifacts: checksum
    output: true