used goreleaser to create binaries and SBOM ,attached it to caintainer

[danish9039]

Related Issues

Fixes

• The release process is regenerating binaries.  #230

---

Description

This PR enhances the CI/CD pipeline by using GoReleaser to build binaries and SBOM and use it in Dagger containers .

---

Key Changes

Dagger Improvements

• Added SBOM generation for both archives and binaries.
• Updated container build process to use GoReleaser-generated binaries (publishImage function in .dagger/main.go).
• Included SBOM files in container images at /usr/share/doc/harbor/.
• Added OCI labels referencing SBOM locations.

GitHub Workflow

• Streamlined the build process to use Dagger consistently.
• Added separate jobs for snapshot and release builds.

---

New Behavior

• On tag push:

  • Run GoReleaser to build binaries, generate SBOM, and publish to GitHub Releases.
  • Use generated binaries and SBOM for container image creation.

• On main branch push:

  • Run GoReleaser in snapshot mode (no publishing).
  • Use snapshot binaries and SBOM for container image creation.

---

Testing

• Verified local builds with dagger call publish-image

• Tested snapshot builds on main branch
• Verified release builds with version tags
• Confirmed SBOM generation and inclusion

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.55%. Comparing base (60ad0bd) to head (6964f34).
⚠️ Report is 31 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #491      +/-   ##
=========================================
- Coverage   10.99%   7.55%   -3.44%     
=========================================
  Files         173     226      +53     
  Lines        8671   13666    +4995     
=========================================
+ Hits          953    1033      +80     
- Misses       7612   12527    +4915     
  Partials      106     106              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[danish9039]

The vulnerability check was previously failing due to known security issues in Go standard libraries, as seen in the pre-update report by running dagger call vulnerability-check-report export --path=vulnerability-check.report in my local machine.

Updated Go to version 1.24.4, which resolves the reported vulnerabilities.

Also upgraded Dagger to version 0.18.10 for compatibility.

After the updates, re-running the check shows no remaining vulnerabilities, as confirmed in the post-update report.

[bupd]

Thanks for your contributions

Please fix the suggestions

[danish9039]

Hi @bupd , sorry for the delay , looks like i should increase the code coverage for pkg/utils/utils.go , so CI can pass.

[danish9039]

@bupd , can you check this , looks like a lot of files needs their code coverage to be improved ?

[bupd]

@bupd , can you check this , looks like a lot of files needs their code coverage to be improved ?
@danish9039
It is fine to not have code coverage.
we are discussing on how to move this forward. since we need to solve two issues together.

1. re-building binaries in dagger.
2. missing sbom & and different

so the best way would be to use goreleaser to create binaries and put those binaries in respective container images using dagger and push to registry and so you can also attach the sbom created by the goreleaser to the container. since the container is from scratch and has only harbor-cli binary.

[bupd]

Please do join the next harbor-cli community meeting so we can discuss this and plan.

Thanks for your contributions