Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c7e6be1

Browse files
ThomasK33ThomasK33
committed
feat: add SBOM generation and attestation to GitHub workflow
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f Signed-off-by: Thomas Kosiewski <[email protected]>
1 parent a2314ad commit c7e6be1

File tree

2 files changed

+32
-12
lines changed

2 files changed

+32
-12
lines changed

.github/workflows/release.yaml

+31
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,37 @@ jobs:
496496
env:
497497
CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}
498498

499+
- name: SBOM Generation and Attestation
500+
if: ${{ !inputs.dry_run }}
501+
run: |
502+
set -euxo pipefail
503+
504+
# Generate SBOM for multi-arch image
505+
echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
506+
syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_sbom.spdx.json
507+
508+
# Attest SBOM to multi-arch image
509+
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
510+
COSIGN_EXPERIMENTAL=1 cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
511+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
512+
--predicate coder_sbom.spdx.json \
513+
--yes \
514+
"${{ steps.build_docker.outputs.multiarch_image }}"
515+
516+
# If latest tag was created, also attest it
517+
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
518+
latest_tag="$(./scripts/image_tag.sh --version latest)"
519+
echo "Generating SBOM for latest image: ${latest_tag}"
520+
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
521+
522+
echo "Attesting SBOM to latest image: ${latest_tag}"
523+
COSIGN_EXPERIMENTAL=1 cosign clean "${latest_tag}"
524+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
525+
--predicate coder_latest_sbom.spdx.json \
526+
--yes \
527+
"${latest_tag}"
528+
fi
529+
499530
- name: GitHub Attestation for Docker image
500531
id: attest_main
501532
if: ${{ !inputs.dry_run }}

scripts/build_docker.sh

+1-12
Original file line numberDiff line numberDiff line change
@@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
153153
docker push "$image_tag" 1>&2
154154
fi
155155

156-
log "--- Generating SBOM for Docker image ($image_tag)"
157-
syft "$image_tag" -o spdx-json >"${image_tag//[:\/]/_}.spdx.json"
158-
159-
if [[ "$push" == 1 ]]; then
160-
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
161-
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
162-
163-
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
164-
--predicate "${image_tag//[:\/]/_}.spdx.json" \
165-
--yes \
166-
"$image_tag"
167-
fi
156+
# SBOM generation and attestation moved to the GitHub workflow
168157

169158
echo "$image_tag"

0 commit comments

Comments
 (0)