NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commitf48a24c

authored

feat: add SBOM generation and attestation to GitHub workflow (#17277)

Move SBOM generation and attestation to GitHub workflowThis PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change:1. Removes SBOM generation and attestation from the `build_docker.sh` script2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow3. Generates and attests SBOMs for both multi-arch images and latest tags when applicableThis approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately.Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719fSigned-off-by: Thomas Kosiewski <tk@coder.com>

1 parentfc471eb commitf48a24cCopy full SHA for f48a24c

File tree

3 files changed

+88

-19

lines changed

.github/workflows
- ci.yaml
- release.yaml
scripts
- build_docker.sh

3 files changed

+88

-19

lines changed

`‎.github/workflows/ci.yaml`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1180,6 +1180,33 @@ jobs:`
`1180`	`1180`	`done`
`1181`	`1181`	`fi`
`1182`	`1182`
	`1183`	`+ -name:SBOM Generation and Attestation`
	`1184`	`+if:github.ref == 'refs/heads/main'`
	`1185`	`+env:`
	`1186`	`+COSIGN_EXPERIMENTAL:1`
	`1187`	`+run:\|`
	`1188`	`+ set -euxo pipefail`
	`1189`	`+`
	`1190`	`+ # Define image base and tags`
	`1191`	`+ IMAGE_BASE="ghcr.io/coder/coder-preview"`
	`1192`	`+ TAGS=("${{ steps.build-docker.outputs.tag }}" "main" "latest")`
	`1193`	`+`
	`1194`	`+ # Generate and attest SBOM for each tag`
	`1195`	`+ for tag in "${TAGS[@]}"; do`
	`1196`	`+ IMAGE="${IMAGE_BASE}:${tag}"`
	`1197`	`+ SBOM_FILE="coder_sbom_${tag//[:\/]/_}.spdx.json"`
	`1198`	`+`
	`1199`	`+ echo "Generating SBOM for image: ${IMAGE}"`
	`1200`	`+ syft "${IMAGE}" -o spdx-json > "${SBOM_FILE}"`
	`1201`	`+`
	`1202`	`+ echo "Attesting SBOM to image: ${IMAGE}"`
	`1203`	`+ cosign clean "${IMAGE}"`
	`1204`	`+ cosign attest --type spdxjson \`
	`1205`	`+ --predicate "${SBOM_FILE}" \`
	`1206`	`+ --yes \`
	`1207`	`+ "${IMAGE}"`
	`1208`	`+ done`
	`1209`	`+`
`1183`	`1210`	`# GitHub attestation provides SLSA provenance for the Docker images, establishing a verifiable`
`1184`	`1211`	`# record that these images were built in GitHub Actions with specific inputs and environment.`
`1185`	`1212`	`# This complements our existing cosign attestations which focus on SBOMs.`

`‎.github/workflows/release.yaml`

Lines changed: 60 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -496,6 +496,39 @@ jobs:`
`496`	`496`	`env:`
`497`	`497`	`CODER_BASE_IMAGE_TAG:${{ steps.image-base-tag.outputs.tag }}`
`498`	`498`
	`499`	`+ -name:SBOM Generation and Attestation`
	`500`	`+if:${{ !inputs.dry_run }}`
	`501`	`+env:`
	`502`	`+COSIGN_EXPERIMENTAL:"1"`
	`503`	`+run:\|`
	`504`	`+ set -euxo pipefail`
	`505`	`+`
	`506`	`+ # Generate SBOM for multi-arch image with version in filename`
	`507`	`+ echo "Generating SBOM for multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"`
	`508`	`+ syft "${{ steps.build_docker.outputs.multiarch_image }}" -o spdx-json > coder_${{ steps.version.outputs.version }}_sbom.spdx.json`
	`509`	`+`
	`510`	`+ # Attest SBOM to multi-arch image`
	`511`	`+ echo "Attesting SBOM to multi-arch image: ${{ steps.build_docker.outputs.multiarch_image }}"`
	`512`	`+ cosign clean "${{ steps.build_docker.outputs.multiarch_image }}"`
	`513`	`+ cosign attest --type spdxjson \`
	`514`	`+ --predicate coder_${{ steps.version.outputs.version }}_sbom.spdx.json \`
	`515`	`+ --yes \`
	`516`	`+ "${{ steps.build_docker.outputs.multiarch_image }}"`
	`517`	`+`
	`518`	`+ # If latest tag was created, also attest it`
	`519`	`+ if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then`
	`520`	`+ latest_tag="$(./scripts/image_tag.sh --version latest)"`
	`521`	`+ echo "Generating SBOM for latest image: ${latest_tag}"`
	`522`	`+ syft "${latest_tag}" -o spdx-json > coder_latest_sbom.spdx.json`
	`523`	`+`
	`524`	`+ echo "Attesting SBOM to latest image: ${latest_tag}"`
	`525`	`+ cosign clean "${latest_tag}"`
	`526`	`+ cosign attest --type spdxjson \`
	`527`	`+ --predicate coder_latest_sbom.spdx.json \`
	`528`	`+ --yes \`
	`529`	`+ "${latest_tag}"`
	`530`	`+ fi`
	`531`	`+`
`499`	`532`	`-name:GitHub Attestation for Docker image`
`500`	`533`	`id:attest_main`
`501`	`534`	`if:${{ !inputs.dry_run }}`
`@@ -612,16 +645,27 @@ jobs:`
`612`	`645`	`fi`
`613`	`646`	`declare -p publish_args`
`614`	`647`
	`648`	`+ # Build the list of files to publish`
	`649`	`+ files=(`
	`650`	`+ ./build/*_installer.exe`
	`651`	`+ ./build/*.zip`
	`652`	`+ ./build/*.tar.gz`
	`653`	`+ ./build/*.tgz`
	`654`	`+ ./build/*.apk`
	`655`	`+ ./build/*.deb`
	`656`	`+ ./build/*.rpm`
	`657`	`+ ./coder_${{ steps.version.outputs.version }}_sbom.spdx.json`
	`658`	`+ )`
	`659`	`+`
	`660`	`+ # Only include the latest SBOM file if it was created`
	`661`	`+ if [[ "${{ steps.build_docker.outputs.created_latest_tag }}" == "true" ]]; then`
	`662`	`+ files+=(./coder_latest_sbom.spdx.json)`
	`663`	`+ fi`
	`664`	`+`
`615`	`665`	`./scripts/release/publish.sh \`
`616`	`666`	`"${publish_args[@]}" \`
`617`	`667`	`--release-notes-file "$CODER_RELEASE_NOTES_FILE" \`
`618`		`- ./build/*_installer.exe \`
`619`		`- ./build/*.zip \`
`620`		`- ./build/*.tar.gz \`
`621`		`- ./build/*.tgz \`
`622`		`- ./build/*.apk \`
`623`		`- ./build/*.deb \`
`624`		`- ./build/*.rpm`
	`668`	`+ "${files[@]}"`
`625`	`669`	`env:`
`626`	`670`	`GITHUB_TOKEN:${{ secrets.GITHUB_TOKEN }}`
`627`	`671`	`CODER_GPG_RELEASE_KEY_BASE64:${{ secrets.GPG_RELEASE_KEY_BASE64 }}`
`@@ -663,6 +707,15 @@ jobs:`
`663`	`707`	`./build/*.apk`
`664`	`708`	`./build/*.deb`
`665`	`709`	`./build/*.rpm`
	`710`	`+ ./coder_${{ steps.version.outputs.version }}_sbom.spdx.json`
	`711`	`+retention-days:7`
	`712`	`+`
	`713`	`+ -name:Upload latest sbom artifact to actions (if dry-run)`
	`714`	`+if:inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true'`
	`715`	`+uses:actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02# v4.6.2`
	`716`	`+with:`
	`717`	`+name:latest-sbom-artifact`
	`718`	`+path:./coder_latest_sbom.spdx.json`
`666`	`719`	`retention-days:7`
`667`	`720`
`668`	`721`	`-name:Send repository-dispatch event`

`‎scripts/build_docker.sh`

Lines changed: 1 addition & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then`
`153`	`153`	`docker push"$image_tag"1>&2`
`154`	`154`	`fi`
`155`	`155`
`156`		`-log"--- Generating SBOM for Docker image ($image_tag)"`
`157`		`-syft"$image_tag" -o spdx-json>"${image_tag//[:\/]/_}.spdx.json"`
`158`		`-`
`159`		`-if [["$push"== 1 ]];then`
`160`		`-log"--- Attesting SBOM to Docker image for$arch ($image_tag)"`
`161`		`-COSIGN_EXPERIMENTAL=1 cosign clean"$image_tag"`
`162`		`-`
`163`		`-COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \`
`164`		`---predicate"${image_tag//[:\/]/_}.spdx.json" \`
`165`		`---yes \`
`166`		`-"$image_tag"`
`167`		`-fi`
	`156`	`+# SBOM generation and attestation moved to the GitHub workflow`
`168`	`157`
`169`	`158`	`echo"$image_tag"`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf48a24c

File tree

3 files changed

3 files changed

`‎.github/workflows/ci.yaml`

`‎.github/workflows/release.yaml`

`‎scripts/build_docker.sh`

0 commit comments