feat: allow passing sbomDir to KO (#5688)

Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

.gitignore

@@ -17,3 +17,4 @@ output.json
 .direnv
 *.pyc
 .intentionally-empty-file.o
+internal/pipe/ko/testdata/app/testapp-linux-amd64.spdx.json

internal/pipe/ko/ko.go

@@ -189,6 +189,7 @@ type buildOptions struct {
 	creationTime        *v1.Time
 	koDataCreationTime  *v1.Time
 	sbom                string
+	SBOMDirectory       string
 	ldflags             []string
 	bare                bool
 	preserveImportPaths bool
@@ -254,6 +255,9 @@ func (o *buildOptions) makeBuilder(ctx *context.Context) (*build.Caching, error)
 	switch o.sbom {
 	case "spdx":
 		buildOptions = append(buildOptions, build.WithSPDX("devel"))
+		if o.SBOMDirectory != "" {
+			buildOptions = append(buildOptions, build.WithSBOMDir(o.SBOMDirectory))
+		}
 	case "none":
 		buildOptions = append(buildOptions, build.WithDisabledSBOM())
 	default:
@@ -391,6 +395,7 @@ func buildBuildOptions(ctx *context.Context, cfg config.Ko) (*buildOptions, erro
 		sbom:                cfg.SBOM,
 		imageRepos:          cfg.Repositories,
 		user:                cfg.User,
+		SBOMDirectory:       cfg.SBOMDirectory,
 	}
 
 	tags, err := applyTemplate(ctx, cfg.Tags)

internal/pipe/ko/ko_test.go

@@ -180,6 +180,7 @@ func TestPublishPipeSuccess(t *testing.T) {
 	table := []struct {
 		Name                string
 		SBOM                string
+		SBOMDirectory       string
 		BaseImage           string
 		Labels              map[string]string
 		ExpectedLabels      map[string]string
@@ -193,13 +194,19 @@ func TestPublishPipeSuccess(t *testing.T) {
 	}{
 		{
 			// Must be first as others add an SBOM for the same image
-			Name: "sbom-none",
-			SBOM: "none",
+			Name:          "sbom-none",
+			SBOM:          "none",
+			SBOMDirectory: "",
 		},
 		{
 			Name: "sbom-spdx",
 			SBOM: "spdx",
 		},
+		{
+			Name:          "sbom-spdx-with-dir",
+			SBOM:          "spdx",
+			SBOMDirectory: "testdata/app/",
+		},
 		{
 			Name:      "base-image-is-not-index",
 			BaseImage: "alpine:latest@sha256:c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c",
@@ -283,6 +290,7 @@ func TestPublishPipeSuccess(t *testing.T) {
 						CreationTime:       table.CreationTime,
 						KoDataCreationTime: table.KoDataCreationTime,
 						SBOM:               table.SBOM,
+						SBOMDirectory:      table.SBOMDirectory,
 						Bare:               true,
 					},
 				},

pkg/config/config.go

@@ -307,6 +307,7 @@ type Ko struct {
 	CreationTime        string            `yaml:"creation_time,omitempty" json:"creation_time,omitempty"`
 	KoDataCreationTime  string            `yaml:"ko_data_creation_time,omitempty" json:"ko_data_creation_time,omitempty"`
 	SBOM                string            `yaml:"sbom,omitempty" json:"sbom,omitempty"`
+	SBOMDirectory       string            `yaml:"sbom_directory,omitempty" json:"sbom_directory,omitempty"`
 	Ldflags             []string          `yaml:"ldflags,omitempty" json:"ldflags,omitempty"`
 	Flags               []string          `yaml:"flags,omitempty" json:"flags,omitempty"`
 	Env                 []string          `yaml:"env,omitempty" json:"env,omitempty"`

www/docs/customization/ko.md

@@ -103,6 +103,11 @@ kos:
     # Valid options are: spdx and none.
     sbom: none
 
+    # Path to file where the SBOM will be written
+    #
+    # Default: unset - no SBOM written to filesystem (but still uploaded to oci repository).
+    sbom_directory: "out/sbom"
+
     # Ldflags to use on build.
     #
     # Default: build.ldflags.