NotificationsYou must be signed in to change notification settings
Fork906
Star10k

Commitabe3ad6

authored

fix: add continue-on-error to SBOM generation and force flag to cosign clean (#17288)

This PR makes the SBOM generation and attestation process more resilientby:1. Adding `continue-on-error: true` to the SBOM generation steps in bothCI and release workflows2. Adding `--force=true` flag to all `cosign clean` commands to ensurethey don't fail if in a non-interactive shell (which is the case for CI)Change-Id: Ide303c059b1a3d0e3fd77863310e99668325bc69Signed-off-by: Thomas Kosiewski <tk@coder.com>Signed-off-by: Thomas Kosiewski <tk@coder.com>

1 parent0e878a8 commitabe3ad6Copy full SHA for abe3ad6

File tree

2 files changed

-3

lines changed

.github/workflows
- ci.yaml
- release.yaml

2 files changed

-3

lines changed

`‎.github/workflows/ci.yaml`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1182,6 +1182,7 @@ jobs:`
`1182`	`1182`
`1183`	`1183`	`-name:SBOM Generation and Attestation`
`1184`	`1184`	`if:github.ref == 'refs/heads/main'`
	`1185`	`+continue-on-error:true`
`1185`	`1186`	`env:`
`1186`	`1187`	`COSIGN_EXPERIMENTAL:1`
`1187`	`1188`	`run:\|`
`@@ -1200,7 +1201,7 @@ jobs:`
`1200`	`1201`	`syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"`
`1201`	`1202`
`1202`	`1203`	`echo "Attesting SBOM to image: ${IMAGE}"`
`1203`		`- cosign clean "${IMAGE}"`
	`1204`	`+ cosign clean--force=true"${IMAGE}"`
`1204`	`1205`	`cosign attest --type spdxjson \`
`1205`	`1206`	`--predicate "${SBOM_FILE}" \`
`1206`	`1207`	`--yes \`

`‎.github/workflows/release.yaml`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -509,7 +509,7 @@ jobs:`
`509`	`509`
`510`	`510`	`# Attest SBOM to multi-arch image`
`511`	`511`	`echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"`
`512`		`- cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"`
	`512`	`+ cosign clean--force=true"${{ steps.build_docker.outputs.multiarch_image }}"`
`513`	`513`	`cosign attest --type spdxjson \`
`514`	`514`	`--predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \`
`515`	`515`	`--yes \`
`@@ -522,7 +522,7 @@ jobs:`
`522`	`522`	`syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json`
`523`	`523`
`524`	`524`	`echo "Attesting SBOM to latest image: ${latest_tag}"`
`525`		`- cosign clean "${latest_tag}"`
	`525`	`+ cosign clean--force=true"${latest_tag}"`
`526`	`526`	`cosign attest --type spdxjson \`
`527`	`527`	`--predicate coder_latest_sbom.spdx.json \`
`528`	`528`	`--yes \`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitabe3ad6

File tree

2 files changed

2 files changed

`‎.github/workflows/ci.yaml`

`‎.github/workflows/release.yaml`

0 commit comments