From a1c73a4d1b78285c23c86e462464dfdf1ef2b8ca Mon Sep 17 00:00:00 2001
From: Thomas Kosiewski <tk@coder.com>
Date: Tue, 8 Apr 2025 10:08:46 +0200
Subject: [PATCH] fix: add continue-on-error to SBOM generation and force flag
 to cosign clean

Change-Id: Ide303c059b1a3d0e3fd77863310e99668325bc69
Signed-off-by: Thomas Kosiewski <tk@coder.com>
---
 .github/workflows/ci.yaml      | 3 ++-
 .github/workflows/release.yaml | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d25cb84173326..a98fbe9b8f28b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1182,6 +1182,7 @@ jobs:
 
       - name: SBOM Generation and Attestation
         if: github.ref == 'refs/heads/main'
+        continue-on-error: true
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
@@ -1200,7 +1201,7 @@ jobs:
             syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
 
             echo "Attesting SBOM to image: ${IMAGE}"
-            cosign clean "${IMAGE}"
+            cosign clean --force=true "${IMAGE}"
             cosign attest --type spdxjson \
               --predicate "${SBOM_FILE}" \
               --yes \
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index eb3983dac807f..653912ae2dad2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -509,7 +509,7 @@ jobs:
 
           # Attest SBOM to multi-arch image
           echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
-          cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
+          cosign clean --force=true "${{ steps.build_docker.outputs.multiarch_image }}"
           cosign attest --type spdxjson \
             --predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
             --yes \
@@ -522,7 +522,7 @@ jobs:
             syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
 
             echo "Attesting SBOM to latest image: ${latest_tag}"
-            cosign clean "${latest_tag}"
+            cosign clean --force=true "${latest_tag}"
             cosign attest --type spdxjson \
               --predicate coder_latest_sbom.spdx.json \
               --yes \

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17288.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17288.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17288.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17288.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>