project_name: source-controller

builds:
  - skip: true

release:
  prerelease: "true"
  extra_files:
    - glob: config/release/*.yaml

checksum:
  extra_files:
    - glob: config/release/*.yaml

source:
  enabled: true
  name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"

sboms:
  - id: source
    artifacts: source
    documents:
      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"

# signs the checksum file
# all files (including the sboms) are included in the checksum
# https://goreleaser.com/customization/sign
signs:
  - cmd: cosign
    env:
      - COSIGN_EXPERIMENTAL=1
    certificate: "${artifact}.pem"
    args:
      - sign-blob
      - "--yes"
      - "--output-certificate=${certificate}"
      - "--output-signature=${signature}"
      - "${artifact}"
    artifacts: checksum
    output: true