Skip to content

Commit c7e6be1

Browse files
ThomasK33ThomasK33
committed
feat: add SBOM generation and attestation to GitHub workflow
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent a2314ad commit c7e6be1

File tree

2 files changed

+32
-12
lines changed

2 files changed

+32
-12
lines changed

.github/workflows/release.yaml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,37 @@ jobs:
496496
env:
497497
CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}
498498

499+
- name: SBOM Generation and Attestation
500+
if: ${{ !inputs.dry_run }}
501+
run: |
502+
set -euxo pipefail
503+
504+
# Generate SBOM for multi-arch image
505+
echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
506+
syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_sbom.spdx.json
507+
508+
# Attest SBOM to multi-arch image
509+
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
510+
COSIGN_EXPERIMENTAL=1 cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
511+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
512+
--predicate coder_sbom.spdx.json \
513+
--yes \
514+
"${{ steps.build_docker.outputs.multiarch_image }}"
515+
516+
# If latest tag was created, also attest it
517+
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
518+
latest_tag="$(./scripts/image_tag.sh --version latest)"
519+
echo "Generating SBOM for latest image: ${latest_tag}"
520+
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
521+
522+
echo "Attesting SBOM to latest image: ${latest_tag}"
523+
COSIGN_EXPERIMENTAL=1 cosign clean "${latest_tag}"
524+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
525+
--predicate coder_latest_sbom.spdx.json \
526+
--yes \
527+
"${latest_tag}"
528+
fi
529+
499530
- name: GitHub Attestation for Docker image
500531
id: attest_main
501532
if: ${{ !inputs.dry_run }}

scripts/build_docker.sh

Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
153153
docker push "$image_tag" 1>&2
154154
fi
155155

156-
log "--- Generating SBOM for Docker image ($image_tag)"
157-
syft "$image_tag" -o spdx-json >"${image_tag//[:\/]/_}.spdx.json"
158-
159-
if [[ "$push" == 1 ]]; then
160-
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
161-
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
162-
163-
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
164-
--predicate "${image_tag//[:\/]/_}.spdx.json" \
165-
--yes \
166-
"$image_tag"
167-
fi
156+
# SBOM generation and attestation moved to the GitHub workflow
168157

169158
echo "$image_tag"

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy