* Deprecate ko deps and ko run
* update-codegen.sh
* delete docs for deprecated stuff
* update deprecation message for ko run
* un-deprecate ko run
* add doc/ko_run.md
This plumbs through support for building multi-arch SPDX SBOMs largely based on Puerco's outline, but with a few
adaptations. I added a few minor refactorings to try to enable consistency across the Image/Index SBOMs.
Related: https://github.com/google/ko/issues/655
* Add purl to SPDX go dependencies
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Fix pkg:oci purls in SPDX sbom
This commit modifies the top level purl in the SPDX sbom to
use an oci purl, indicating it describes an image.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Generate CycloneDX SBOMs using our own JSON generation
* fix some errors
* Add support to ko deps
* Add e2e SBOM validation
* ignore empty hashes (why are hashes empty?)
This adds implicit support for Google, Amazon, Azure and GitHub
container registries if the environment provides credentials.
Binary size increases from 22 MB -> 26 MB
* Connect SBOMs with SPDX support.
This combines Jason's SPDX stuff and my SBOM stuff to support
SPDX-based SBOMs by default instead of our `go version -m`
invention.
* Make ko deps use SPDX by default
* WIP: generate ko deps in SPDX format
- copy out a bunch of BuildInfo stuff that will land in 1.18
* review comments
* have deps take --sbom flag more like Matt's new publish-time flag
* Implement ko deps
* actually add deps.go
* specify auth, useragent, platform
* stop reading tar if the context is cancelled
* chmod to the file's perms
* remove support for --platform, modules don't care about build tags
* fix copyright boilerplate
* drop fs dependency
* udpate module integration test to newer Go versions
* use entrypoint to identify the binary
* fix gosec finding, some style comments
* revert modules integration test change
