Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 26ee58a

Browse files
ThomasK33ThomasK33
committed
feat: add SBOM generation and attestation to GitHub workflow
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f Signed-off-by: Thomas Kosiewski <[email protected]>
1 parent a2314ad commit 26ee58a

File tree

3 files changed

+86
-19
lines changed

3 files changed

+86
-19
lines changed

.github/workflows/ci.yaml

+27
Original file line numberDiff line numberDiff line change
@@ -1180,6 +1180,33 @@ jobs:
11801180
done
11811181
fi
11821182
1183+
- name: SBOM Generation and Attestation
1184+
if: github.ref == 'refs/heads/main'
1185+
env:
1186+
COSIGN_EXPERIMENTAL: 1
1187+
run: |
1188+
set -euxo pipefail
1189+
1190+
# Define image base and tags
1191+
IMAGE_BASE="ghcr.io/coder/coder-preview"
1192+
TAGS=("${{ steps.build-docker.outputs.tag }}" "main" "latest")
1193+
1194+
# Generate and attest SBOM for each tag
1195+
for tag in "${TAGS[@]}"; do
1196+
IMAGE="${IMAGE_BASE}:${tag}"
1197+
SBOM_FILE="coder_sbom_${tag//[:\/]/_}.spdx.json"
1198+
1199+
echo "Generating SBOM for image: ${IMAGE}"
1200+
syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
1201+
1202+
echo "Attesting SBOM to image: ${IMAGE}"
1203+
cosign clean "${IMAGE}"
1204+
cosign attest --type spdxjson \
1205+
--predicate "${SBOM_FILE}" \
1206+
--yes \
1207+
"${IMAGE}"
1208+
done
1209+
11831210
# GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable
11841211
# record that these images were built in GitHub Actions with specific inputs and environment.
11851212
# This complements our existing cosign attestations which focus on SBOMs.

.github/workflows/release.yaml

+58-7
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,37 @@ jobs:
496496
env:
497497
CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}
498498

499+
- name: SBOM Generation and Attestation
500+
if: ${{ !inputs.dry_run }}
501+
run: |
502+
set -euxo pipefail
503+
504+
# Generate SBOM for multi-arch image with version in filename
505+
echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
506+
syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_${{ steps.version.outputs.version }}_sbom.spdx.json
507+
508+
# Attest SBOM to multi-arch image
509+
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
510+
COSIGN_EXPERIMENTAL=1 cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
511+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
512+
--predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
513+
--yes \
514+
"${{ steps.build_docker.outputs.multiarch_image }}"
515+
516+
# If latest tag was created, also attest it
517+
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
518+
latest_tag="$(./scripts/image_tag.sh --version latest)"
519+
echo "Generating SBOM for latest image: ${latest_tag}"
520+
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
521+
522+
echo "Attesting SBOM to latest image: ${latest_tag}"
523+
COSIGN_EXPERIMENTAL=1 cosign clean "${latest_tag}"
524+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
525+
--predicate coder_latest_sbom.spdx.json \
526+
--yes \
527+
"${latest_tag}"
528+
fi
529+
499530
- name: GitHub Attestation for Docker image
500531
id: attest_main
501532
if: ${{ !inputs.dry_run }}
@@ -612,16 +643,27 @@ jobs:
612643
fi
613644
declare -p publish_args
614645
646+
# Build the list of files to publish
647+
files=(
648+
./build/*_installer.exe
649+
./build/*.zip
650+
./build/*.tar.gz
651+
./build/*.tgz
652+
./build/*.apk
653+
./build/*.deb
654+
./build/*.rpm
655+
./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
656+
)
657+
658+
# Only include the latest SBOM file if it was created
659+
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
660+
files+=(./coder_latest_sbom.spdx.json)
661+
fi
662+
615663
./scripts/release/publish.sh \
616664
"${publish_args[@]}" \
617665
--release-notes-file "$CODER_RELEASE_NOTES_FILE" \
618-
./build/*_installer.exe \
619-
./build/*.zip \
620-
./build/*.tar.gz \
621-
./build/*.tgz \
622-
./build/*.apk \
623-
./build/*.deb \
624-
./build/*.rpm
666+
"${files[@]}"
625667
env:
626668
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
627669
CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
@@ -663,6 +705,15 @@ jobs:
663705
./build/*.apk
664706
./build/*.deb
665707
./build/*.rpm
708+
./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
709+
retention-days: 7
710+
711+
- name: Upload latest sbom artifact to actions (if dry-run)
712+
if: inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true'
713+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
714+
with:
715+
name: latest-sbom-artifact
716+
path: ./coder_latest_sbom.spdx.json
666717
retention-days: 7
667718

668719
- name: Send repository-dispatch event

scripts/build_docker.sh

+1-12
Original file line numberDiff line numberDiff line change
@@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
153153
docker push "$image_tag" 1>&2
154154
fi
155155

156-
log "--- Generating SBOM for Docker image ($image_tag)"
157-
syft "$image_tag" -o spdx-json >"${image_tag//[:\/]/_}.spdx.json"
158-
159-
if [[ "$push" == 1 ]]; then
160-
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
161-
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
162-
163-
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
164-
--predicate "${image_tag//[:\/]/_}.spdx.json" \
165-
--yes \
166-
"$image_tag"
167-
fi
156+
# SBOM generation and attestation moved to the GitHub workflow
168157

169158
echo "$image_tag"

0 commit comments

Comments
 (0)