NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commitc7e6be1

committed

feat: add SBOM generation and attestation to GitHub workflow

Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719fSigned-off-by: Thomas Kosiewski <tk@coder.com>

1 parenta2314ad commitc7e6be1Copy full SHA for c7e6be1

File tree

2 files changed

+32

-12

lines changed

.github/workflows
- release.yaml
scripts
- build_docker.sh

2 files changed

+32

-12

lines changed

`‎.github/workflows/release.yaml‎`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -496,6 +496,37 @@ jobs:`
`496`	`496`	`env:`
`497`	`497`	`CODER_BASE_IMAGE_TAG:${{ steps.image-base-tag.outputs.tag }}`
`498`	`498`
	`499`	`+ -name:SBOM Generation and Attestation`
	`500`	`+if:${{ !inputs.dry_run }}`
	`501`	`+run:\|`
	`502`	`+ set -euxo pipefail`
	`503`	`+`
	`504`	`+ # Generate SBOM for multi-arch image`
	`505`	`+ echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"`
	`506`	`+ syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_sbom.spdx.json`
	`507`	`+`
	`508`	`+ # Attest SBOM to multi-arch image`
	`509`	`+ echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"`
	`510`	`+ COSIGN_EXPERIMENTAL=1 cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"`
	`511`	`+ COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \`
	`512`	`+ --predicate coder_sbom.spdx.json \`
	`513`	`+ --yes \`
	`514`	`+ "${{ steps.build_docker.outputs.multiarch_image }}"`
	`515`	`+`
	`516`	`+ # If latest tag was created, also attest it`
	`517`	`+ if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then`
	`518`	`+ latest_tag="$(./scripts/image_tag.sh --version latest)"`
	`519`	`+ echo "Generating SBOM for latest image: ${latest_tag}"`
	`520`	`+ syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json`
	`521`	`+`
	`522`	`+ echo "Attesting SBOM to latest image: ${latest_tag}"`
	`523`	`+ COSIGN_EXPERIMENTAL=1 cosign clean "${latest_tag}"`
	`524`	`+ COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \`
	`525`	`+ --predicate coder_latest_sbom.spdx.json \`
	`526`	`+ --yes \`
	`527`	`+ "${latest_tag}"`
	`528`	`+ fi`
	`529`	`+`
`499`	`530`	`-name:GitHub Attestation for Docker image`
`500`	`531`	`id:attest_main`
`501`	`532`	`if:${{ !inputs.dry_run }}`

`‎scripts/build_docker.sh‎`

Lines changed: 1 addition & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then`
`153`	`153`	`docker push"$image_tag"1>&2`
`154`	`154`	`fi`
`155`	`155`
`156`		`-log"--- Generating SBOM for Docker image ($image_tag)"`
`157`		`-syft"$image_tag" -o spdx-json>"${image_tag//[:\/]/_}.spdx.json"`
`158`		`-`
`159`		`-if [["$push"== 1 ]];then`
`160`		`-log"--- Attesting SBOM to Docker image for$arch ($image_tag)"`
`161`		`-COSIGN_EXPERIMENTAL=1 cosign clean"$image_tag"`
`162`		`-`
`163`		`-COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \`
`164`		`---predicate"${image_tag//[:\/]/_}.spdx.json" \`
`165`		`---yes \`
`166`		`-"$image_tag"`
`167`		`-fi`
	`156`	`+# SBOM generation and attestation moved to the GitHub workflow`
`168`	`157`
`169`	`158`	`echo"$image_tag"`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc7e6be1

File tree

2 files changed

2 files changed

`‎.github/workflows/release.yaml‎`

`‎scripts/build_docker.sh‎`

0 commit comments