Skip to content

Commit abe3ad6

Browse files
ThomasK33ThomasK33
authored
fix: add continue-on-error to SBOM generation and force flag to cosign clean (#17288)
This PR makes the SBOM generation and attestation process more resilient by: 1. Adding `continue-on-error: true` to the SBOM generation steps in both CI and release workflows 2. Adding `--force=true` flag to all `cosign clean` commands to ensure they don't fail if in a non-interactive shell (which is the case for CI) Change-Id: Ide303c059b1a3d0e3fd77863310e99668325bc69 Signed-off-by: Thomas Kosiewski <tk@coder.com> Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent 0e878a8 commit abe3ad6

File tree

2 files changed

+4
-3
lines changed

2 files changed

+4
-3
lines changed

.github/workflows/ci.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1182,6 +1182,7 @@ jobs:
11821182
11831183
- name: SBOM Generation and Attestation
11841184
if: github.ref == 'refs/heads/main'
1185+
continue-on-error: true
11851186
env:
11861187
COSIGN_EXPERIMENTAL: 1
11871188
run: |
@@ -1200,7 +1201,7 @@ jobs:
12001201
syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
12011202
12021203
echo "Attesting SBOM to image: ${IMAGE}"
1203-
cosign clean "${IMAGE}"
1204+
cosign clean --force=true "${IMAGE}"
12041205
cosign attest --type spdxjson \
12051206
--predicate "${SBOM_FILE}" \
12061207
--yes \

.github/workflows/release.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -509,7 +509,7 @@ jobs:
509509
510510
# Attest SBOM to multi-arch image
511511
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
512-
cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
512+
cosign clean --force=true "${{ steps.build_docker.outputs.multiarch_image }}"
513513
cosign attest --type spdxjson \
514514
--predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
515515
--yes \
@@ -522,7 +522,7 @@ jobs:
522522
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
523523
524524
echo "Attesting SBOM to latest image: ${latest_tag}"
525-
cosign clean "${latest_tag}"
525+
cosign clean --force=true "${latest_tag}"
526526
cosign attest --type spdxjson \
527527
--predicate coder_latest_sbom.spdx.json \
528528
--yes \

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy