fix(dockers/v2): allow to disable SBOM (#6201)

closes https://github.com/orgs/goreleaser/discussions/6178 --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-30 23:58:09 +02:00 · 2025-10-23 10:22:48 -03:00
parent 2d1b42c7ab
commit 2092ff91e6
4 changed files with 31 additions and 1 deletions
--- a/internal/pipe/docker/v2/docker.go
+++ b/internal/pipe/docker/v2/docker.go
@@ -105,7 +105,11 @@ func (Publish) Publish(ctx *context.Context) error {
 	g := semerrgroup.NewSkipAware(semerrgroup.New(ctx.Parallelism))
 	for _, d := range ctx.Config.DockersV2 {
 		g.Go(func() error {
-			return buildImage(ctx, d, "--push", "--attest=type=sbom")
+			extraArgs := []string{"--push"}
+			if d.SBOM == nil || *d.SBOM {
+				extraArgs = append(extraArgs, "--attest=type=sbom")
+			}
+			return buildImage(ctx, d, extraArgs...)
 		})
 	}
 	return g.Wait()
--- a/internal/pipe/docker/v2/docker_integration_test.go
+++ b/internal/pipe/docker/v2/docker_integration_test.go
@@ -179,6 +179,7 @@ func TestPublish(t *testing.T) {
 	testlib.StartRegistry(t, "registry-v2", "5060")
 	testlib.StartRegistry(t, "alt_registry-v2", "5061")

+	b := false
 	dist := t.TempDir()
 	ctx := testctx.NewWithCfg(
 		config.Project{
@@ -205,6 +206,7 @@ func TestPublish(t *testing.T) {
 					Dockerfile: "./testdata/Dockerfile.python",
 					Images:     []string{"localhost:5060/python"},
 					Tags:       []string{"latest"},
+					SBOM:       &b,
 				},
 			},
 		},
@@ -262,6 +264,8 @@ func TestPublish(t *testing.T) {
 		require.Equal(t, map[string]string{
 			"org.opencontainers.image.description": "My multi-arch image",
 		}, manifest.Annotations)
+
+		require.True(t, hasSBOM(t, "localhost:5060/foo:v1.0.0"))
 	})
 	t.Run("python", func(t *testing.T) {
 		images := ctx.Artifacts.
@@ -278,6 +282,7 @@ func TestPublish(t *testing.T) {
 		for _, img := range images {
 			require.NotEmpty(t, artifact.ExtraOr(*img, artifact.ExtraDigest, ""))
 		}
+		require.False(t, hasSBOM(t, "localhost:5060/python:latest"))
 	})
 }

@@ -327,3 +332,17 @@ func inspectManifest(tb testing.TB, image string) v1.Manifest {
 	require.NoError(tb, json.Unmarshal(out, &t))
 	return t
 }
+
+func hasSBOM(tb testing.TB, image string) bool {
+	tb.Helper()
+	out, err := exec.CommandContext(
+		tb.Context(),
+		"docker",
+		"buildx",
+		"imagetools",
+		"inspect",
+		`--format={{ json (index .SBOM "linux/amd64").SPDX.SPDXID }}`,
+		image,
+	).CombinedOutput()
+	return err == nil && string(out) == `"SPDXRef-DOCUMENT"`
+}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1088,6 +1088,7 @@ type DockerV2 struct {
 	BuildArgs   map[string]string `yaml:"build_args,omitempty" json:"build_args,omitempty"`
 	Retry       Retry             `yaml:"retry,omitempty" json:"retry,omitempty"`
 	Flags       []string          `yaml:"flags,omitempty" json:"flags,omitempty"`
+	SBOM        *bool             `yaml:"sbom,omitempty" json:"sbom,omitempty"`
 }

 // DockerDigest config.
--- a/www/docs/customization/dockers_v2.md
+++ b/www/docs/customization/dockers_v2.md
@@ -103,6 +103,12 @@ dockers_v2:
      - linux/amd64
      - linux/arm64

+    # Whether to create and attach a SBOM to the image.
+    # Default: true
+    #
+    # <!-- md:inline_version v2.12.7-unreleased -->
+    sbom: false
+
    # Additional `--build-arg`s to be passed.
    #
    # Templates: allowed.