-
Notifications
You must be signed in to change notification settings - Fork 9
85 lines (71 loc) · 2.8 KB
/
sbom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Generate SBOMs
on:
workflow_call:
inputs:
image-digest:
type: string
required: true
jobs:
sbom:
name: Generate SBOM, sign and attach them to OCI image
strategy:
matrix:
arch: [amd64, arm64]
permissions:
packages: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Install the syft command
uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
- name: Install the crane command
uses: IAreKyleW00t/crane-installer@66858ae469ebd32ce731051d9c2bae9b811537e9 # v1.3
- name: Login to GitHub Container Registry
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Find platform digest
shell: bash
run: |
set -e
IMG_REPOSITORY_NAME=$( echo ${{ github.repository_owner }} | awk '{print tolower($0)}' )
echo IMG_REPOSITORY_NAME=${IMG_REPOSITORY_NAME} >> $GITHUB_ENV
DIGEST=$(crane digest \
--platform "linux/${{ matrix.arch }}" \
ghcr.io/${IMG_REPOSITORY_NAME}/kwasm-operator@${{ inputs.image-digest }})
echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Create SBOM file
shell: bash
run: |
syft \
-o spdx-json \
--file kwasm-operator-sbom-${{ matrix.arch }}.spdx \
ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/kwasm-operator@${{ env.PLATFORM_DIGEST }}
- name: Sign SBOM file
run: |
cosign sign-blob --yes \
--output-certificate kwasm-operator-sbom-${{ matrix.arch }}.spdx.cert \
--output-signature kwasm-operator-sbom-${{ matrix.arch }}.spdx.sig \
kwasm-operator-sbom-${{ matrix.arch }}.spdx
- name: Attach SBOM file in the container image
shell: bash
run: |
cosign attach \
sbom --sbom kwasm-operator-sbom-${{ matrix.arch }}.spdx \
ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/kwasm-operator@${{ env.PLATFORM_DIGEST }}
- name: Sign SBOM file pushed to OCI registry
shell: bash
run: |
set -e
SBOM_TAG="$(echo ${{ env.PLATFORM_DIGEST }} | sed -e 's/:/-/g').sbom"
cosign sign --yes \
ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/kwasm-operator:${SBOM_TAG}
- name: Upload SBOMs as artifacts
uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
with:
name: sbom-${{ matrix.arch }}
path: kwasm-operator-sbom-*