Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit26ee58a

Browse files
committed
feat: add SBOM generation and attestation to GitHub workflow
Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719fSigned-off-by: Thomas Kosiewski <tk@coder.com>
1 parenta2314ad commit26ee58a

File tree

3 files changed

+86
-19
lines changed

3 files changed

+86
-19
lines changed

‎.github/workflows/ci.yaml‎

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1180,6 +1180,33 @@ jobs:
11801180
done
11811181
fi
11821182
1183+
-name:SBOM Generation and Attestation
1184+
if:github.ref == 'refs/heads/main'
1185+
env:
1186+
COSIGN_EXPERIMENTAL:1
1187+
run:|
1188+
set -euxo pipefail
1189+
1190+
# Define image base and tags
1191+
IMAGE_BASE="ghcr.io/coder/coder-preview"
1192+
TAGS=("${{ steps.build-docker.outputs.tag }}" "main" "latest")
1193+
1194+
# Generate and attest SBOM for each tag
1195+
for tag in "${TAGS[@]}"; do
1196+
IMAGE="${IMAGE_BASE}:${tag}"
1197+
SBOM_FILE="coder_sbom_${tag//[:\/]/_}.spdx.json"
1198+
1199+
echo "Generating SBOM for image: ${IMAGE}"
1200+
syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"
1201+
1202+
echo "Attesting SBOM to image: ${IMAGE}"
1203+
cosign clean "${IMAGE}"
1204+
cosign attest --type spdxjson \
1205+
--predicate "${SBOM_FILE}" \
1206+
--yes \
1207+
"${IMAGE}"
1208+
done
1209+
11831210
# GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable
11841211
# record that these images were built in GitHub Actions with specific inputs and environment.
11851212
# This complements our existing cosign attestations which focus on SBOMs.

‎.github/workflows/release.yaml‎

Lines changed: 58 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,37 @@ jobs:
496496
env:
497497
CODER_BASE_IMAGE_TAG:${{ steps.image-base-tag.outputs.tag }}
498498

499+
-name:SBOM Generation and Attestation
500+
if:${{ !inputs.dry_run }}
501+
run:|
502+
set -euxo pipefail
503+
504+
# Generate SBOM for multi-arch image with version in filename
505+
echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
506+
syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_${{ steps.version.outputs.version }}_sbom.spdx.json
507+
508+
# Attest SBOM to multi-arch image
509+
echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"
510+
COSIGN_EXPERIMENTAL=1 cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"
511+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
512+
--predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \
513+
--yes \
514+
"${{ steps.build_docker.outputs.multiarch_image }}"
515+
516+
# If latest tag was created, also attest it
517+
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
518+
latest_tag="$(./scripts/image_tag.sh --version latest)"
519+
echo "Generating SBOM for latest image: ${latest_tag}"
520+
syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json
521+
522+
echo "Attesting SBOM to latest image: ${latest_tag}"
523+
COSIGN_EXPERIMENTAL=1 cosign clean "${latest_tag}"
524+
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
525+
--predicate coder_latest_sbom.spdx.json \
526+
--yes \
527+
"${latest_tag}"
528+
fi
529+
499530
-name:GitHub Attestation for Docker image
500531
id:attest_main
501532
if:${{ !inputs.dry_run }}
@@ -612,16 +643,27 @@ jobs:
612643
fi
613644
declare -p publish_args
614645
646+
# Build the list of files to publish
647+
files=(
648+
./build/*_installer.exe
649+
./build/*.zip
650+
./build/*.tar.gz
651+
./build/*.tgz
652+
./build/*.apk
653+
./build/*.deb
654+
./build/*.rpm
655+
./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
656+
)
657+
658+
# Only include the latest SBOM file if it was created
659+
if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then
660+
files+=(./coder_latest_sbom.spdx.json)
661+
fi
662+
615663
./scripts/release/publish.sh \
616664
"${publish_args[@]}" \
617665
--release-notes-file "$CODER_RELEASE_NOTES_FILE" \
618-
./build/*_installer.exe \
619-
./build/*.zip \
620-
./build/*.tar.gz \
621-
./build/*.tgz \
622-
./build/*.apk \
623-
./build/*.deb \
624-
./build/*.rpm
666+
"${files[@]}"
625667
env:
626668
GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}
627669
CODER_GPG_RELEASE_KEY_BASE64:${{ secrets.GPG_RELEASE_KEY_BASE64 }}
@@ -663,6 +705,15 @@ jobs:
663705
./build/*.apk
664706
./build/*.deb
665707
./build/*.rpm
708+
./coder_${{ steps.version.outputs.version }}_sbom.spdx.json
709+
retention-days:7
710+
711+
-name:Upload latest sbom artifact to actions (if dry-run)
712+
if:inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true'
713+
uses:actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02# v4.6.2
714+
with:
715+
name:latest-sbom-artifact
716+
path:./coder_latest_sbom.spdx.json
666717
retention-days:7
667718

668719
-name:Send repository-dispatch event

‎scripts/build_docker.sh‎

Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
153153
docker push"$image_tag"1>&2
154154
fi
155155

156-
log"--- Generating SBOM for Docker image ($image_tag)"
157-
syft"$image_tag" -o spdx-json>"${image_tag//[:\/]/_}.spdx.json"
158-
159-
if [["$push"== 1 ]];then
160-
log"--- Attesting SBOM to Docker image for$arch ($image_tag)"
161-
COSIGN_EXPERIMENTAL=1 cosign clean"$image_tag"
162-
163-
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
164-
--predicate"${image_tag//[:\/]/_}.spdx.json" \
165-
--yes \
166-
"$image_tag"
167-
fi
156+
# SBOM generation and attestation moved to the GitHub workflow
168157

169158
echo"$image_tag"

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp