Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit abe3ad6

Browse files
ThomasK33ThomasK33
authored
fix: add continue-on-error to SBOM generation and force flag to cosign clean (#17288)
This PR makes the SBOM generation and attestation process more resilient by: 1. Adding `continue-on-error: true` to the SBOM generation steps in both CI and release workflows 2. Adding `--force=true` flag to all `cosign clean` commands to ensure they don't fail if in a non-interactive shell (which is the case for CI) Change-Id: Ide303c059b1a3d0e3fd77863310e99668325bc69 Signed-off-by: Thomas Kosiewski <[email protected]> Signed-off-by: Thomas Kosiewski <[email protected]>
1 parent 0e878a8 commit abe3ad6

File tree

2 files changed

+4
-3
lines changed

2 files changed

+4
-3
lines changed

.github/workflows/ci.yaml

+2-1
Original file line numberDiff line numberDiff line change
@@ -1182,6 +1182,7 @@ jobs:
11821182
11831183
- name: SBOM Generation and Attestation
11841184
if: github.ref == 'refs/heads/main'
1185+
continue-on-error: true
11851186
env:
11861187
COSIGN_EXPERIMENTAL: 1
11871188
run: |
@@ -1200,7 +1201,7 @@ jobs:
12001201
syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
12011202
12021203
echo "Attesting SBOM to image: ${IMAGE}"
1203-
cosign clean "${IMAGE}"
1204+
cosign clean --force=true "${IMAGE}"
12041205
cosign attest --type spdxjson \
12051206
--predicate "${SBOM_FILE}" \
12061207
--yes \

.github/workflows/release.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -509,7 +509,7 @@ jobs:
509509
510510
# Attest SBOM to multi-arch image
511511
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
512-
cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
512+
cosign clean --force=true "${{ steps.build_docker.outputs.multiarch_image }}"
513513
cosign attest --type spdxjson \
514514
--predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
515515
--yes \
@@ -522,7 +522,7 @@ jobs:
522522
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
523523
524524
echo "Attesting SBOM to latest image: ${latest_tag}"
525-
cosign clean "${latest_tag}"
525+
cosign clean --force=true "${latest_tag}"
526526
cosign attest --type spdxjson \
527527
--predicate coder_latest_sbom.spdx.json \
528528
--yes \

0 commit comments

Comments
 (0)