🤖 Attach and sign SBOM (#1235)

* 🤖 Attach and sign SBOM Attempt to fix: #1228 and #1055 Signed-off-by: mudler <[email protected]> * 🤖 Remove bashism, imply that there is a '.sbom' image Signed-off-by: mudler <[email protected]> * Enhancements Signed-off-by: mudler <[email protected]> --------- Signed-off-by: mudler <[email protected]>
kairos-io · Mar 31, 2023 · 8a7f901 · 8a7f901
1 parent f6ff38e
commit 8a7f901
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 6 deletions.
diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml
@@ -103,8 +103,13 @@ jobs:
           TAG: "latest"
           COSIGN_YES: true
         run: |
-          docker push "$IMAGE:$TAG" # Otherwise .RepoDigests will be empty for some reason
-          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          docker push "$IMAGE:$TAG"
+          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          spdx=$(ls build/*.spdx.json)
+          cosign attach sbom --sbom $spdx $image_ref
+          cosign sign $image_ref --attachment sbom
+          # in-toto attestation
+          cosign attest --type spdx --predicate $spdx $image_ref
       - name: Upload results
         uses: actions/upload-artifact@v3
         with:

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -146,7 +146,12 @@ jobs:
           COSIGN_YES: true
         run: |
           docker push "$IMAGE:$TAG"
-          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          spdx=$(ls *.spdx.json)
+          cosign attach sbom --sbom $spdx $image_ref
+          cosign sign $image_ref --attachment sbom
+          # in-toto attestation
+          cosign attest --type spdx --predicate $spdx $image_ref
       - name: Push to testing
         run: |
           docker tag quay.io/kairos/core-${{ matrix.flavor }}:latest ttl.sh/kairos-${{ matrix.flavor }}-${{ github.sha }}:8h

diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml
@@ -76,7 +76,12 @@ jobs:
         run: |
           export TAG=${GITHUB_REF##*/}
           export IMAGE="quay.io/kairos/core-${{ matrix.flavor }}"
-          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          spdx=$(ls build/*.spdx.json)
+          cosign attach sbom --sbom $spdx $image_ref
+          cosign sign $image_ref --attachment sbom
+          # in-toto attestation
+          cosign attest --type spdx --predicate $spdx $image_ref
       - name: Export version
         run: |
           TAG=${GITHUB_REF##*/}

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -110,8 +110,12 @@ jobs:
           export TAG=${GITHUB_REF##*/}
           export IMAGE="quay.io/kairos/core-${{ matrix.flavor }}"
           docker push "$IMAGE:$TAG"
-          cosign sign $(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
-
+          image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE:$TAG")
+          spdx=$(ls release/*.spdx.json)
+          cosign attach sbom --sbom $spdx $image_ref
+          cosign sign $image_ref --attachment sbom
+          # in-toto attestation
+          cosign attest --type spdx --predicate $spdx $image_ref
       - name: Sign ISO sha files
         env:
           COSIGN_YES: true