Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add SBOM generation and attestation to GitHub workflow #17277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 7, 2025
+88 −19
Merged

feat: add SBOM generation and attestation to GitHub workflow #17277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1180,6 +1180,33 @@ jobs:
done
fi

- name: SBOM Generation and Attestation
if: github.ref == 'refs/heads/main'
env:
COSIGN_EXPERIMENTAL: 1
run: |
set -euxo pipefail

# Define image base and tags
IMAGE_BASE="ghcr.io/coder/coder-preview"
TAGS=("${{ steps.build-docker.outputs.tag }}" "main" "latest")

# Generate and attest SBOM for each tag
for tag in "${TAGS[@]}"; do
IMAGE="${IMAGE_BASE}:${tag}"
SBOM_FILE="coder_sbom_${tag//[:\/]/_}.spdx.json"

echo "Generating SBOM for image: ${IMAGE}"
syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"

echo "Attesting SBOM to image: ${IMAGE}"
cosign clean "${IMAGE}"
cosign attest --type spdxjson \
--predicate "${SBOM_FILE}" \
--yes \
"${IMAGE}"
done

# GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable
# record that these images were built in GitHub Actions with specific inputs and environment.
# This complements our existing cosign attestations which focus on SBOMs.
Expand Down
67 changes: 60 additions & 7 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,6 +496,39 @@ jobs:
env:
CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}

- name: SBOM Generation and Attestation
if: ${{ !inputs.dry_run }}
env:
COSIGN_EXPERIMENTAL: "1"
run: |
set -euxo pipefail

# Generate SBOM for multi-arch image with version in filename
echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_${{ steps.version.outputs.version }}_sbom.spdx.json

# Attest SBOM to multi-arch image
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
cosign attest --type spdxjson \
--predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
--yes \
"${{ steps.build_docker.outputs.multiarch_image }}"

# If latest tag was created, also attest it
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
latest_tag="$(./scripts/image_tag.sh --version latest)"
echo "Generating SBOM for latest image: ${latest_tag}"
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json

echo "Attesting SBOM to latest image: ${latest_tag}"
cosign clean "${latest_tag}"
cosign attest --type spdxjson \
--predicate coder_latest_sbom.spdx.json \
--yes \
"${latest_tag}"
fi

- name: GitHub Attestation for Docker image
id: attest_main
if: ${{ !inputs.dry_run }}
Expand Down Expand Up @@ -612,16 +645,27 @@ jobs:
fi
declare -p publish_args

# Build the list of files to publish
files=(
./build/*_installer.exe
./build/*.zip
./build/*.tar.gz
./build/*.tgz
./build/*.apk
./build/*.deb
./build/*.rpm
./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
)

# Only include the latest SBOM file if it was created
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
files+=(./coder_latest_sbom.spdx.json)
fi

./scripts/release/publish.sh \
"${publish_args[@]}" \
--release-notes-file "$CODER_RELEASE_NOTES_FILE" \
./build/*_installer.exe \
./build/*.zip \
./build/*.tar.gz \
./build/*.tgz \
./build/*.apk \
./build/*.deb \
./build/*.rpm
"${files[@]}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
Expand Down Expand Up @@ -663,6 +707,15 @@ jobs:
./build/*.apk
./build/*.deb
./build/*.rpm
./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
retention-days: 7

- name: Upload latest sbom artifact to actions (if dry-run)
if: inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true'
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: latest-sbom-artifact
path: ./coder_latest_sbom.spdx.json
retention-days: 7

- name: Send repository-dispatch event
Expand Down
13 changes: 1 addition & 12 deletions scripts/build_docker.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
docker push "$image_tag" 1>&2
fi

log "--- Generating SBOM for Docker image ($image_tag)"
syft "$image_tag" -o spdx-json >"${image_tag//[:\/]/_}.spdx.json"

if [[ "$push" == 1 ]]; then
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"

COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
--predicate "${image_tag//[:\/]/_}.spdx.json" \
--yes \
"$image_tag"
fi
# SBOM generation and attestation moved to the GitHub workflow

echo "$image_tag"
Loading