From 938730aa006fcaf3a2a6be76b736bd08400746ba Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 9 Jan 2026 14:26:43 +0100 Subject: [PATCH] pin buildkit syft scanner image Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/bake.yml | 17 ++++++++++++++--- .github/workflows/build.yml | 10 +++++++++- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index f24accd..a0ce873 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -139,6 +139,7 @@ on: env: BUILDX_VERSION: "v0.30.1" BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available + SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0" DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0" COSIGN_VERSION: "v3.0.2" LOCAL_EXPORT_DIR: "/tmp/buildx-output" @@ -165,6 +166,7 @@ jobs: id: set uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: + INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }} INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }} INPUT_RUNNER: ${{ inputs.runner }} INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }} @@ -184,6 +186,7 @@ jobs: const { GitHub } = require('@docker/actions-toolkit/lib/github'); const { Util } = require('@docker/actions-toolkit/lib/util'); + const inpSbomImage = core.getInput('sbom-image'); const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10); const inpRunner = core.getInput('runner'); @@ -236,7 +239,7 @@ jobs: def = await bake.getDefinition({ files: inpFiles, overrides: inpSet, - sbom: inpSbom ? 'true' : 'false', + sbom: inpSbom ? `generator=${inpSbomImage}` : 'false', source: bakeSource, targets: [inpTarget], githubToken: inpGitHubToken @@ -462,6 +465,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PLATFORM: ${{ matrix.platform }} + INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }} INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }} INPUT_CACHE: ${{ inputs.cache }} INPUT_CACHE-SCOPE: ${{ inputs.cache-scope }} @@ -491,6 +495,7 @@ jobs: const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : ''; core.setOutput('platform-pair-suffix', platformPairSuffix); + const inpSbomImage = core.getInput('sbom-image'); const inpLocalExportDir = core.getInput('local-export-dir'); const inpCache = core.getBooleanInput('cache'); @@ -517,6 +522,12 @@ jobs: core.setOutput('source', bakeSource); }); + const sbom = inpSbom ? `generator=${inpSbomImage}` : 'false'; + await core.group(`Set sbom`, async () => { + core.info(sbom); + core.setOutput('sbom', sbom); + }); + let target; try { await core.group(`Validating definition`, async () => { @@ -524,7 +535,7 @@ jobs: const def = await bake.getDefinition({ files: inpFiles, overrides: inpSet, - sbom: inpSbom ? 'true' : 'false', + sbom: sbom, source: bakeSource, targets: [inpTarget], githubToken: inpGitHubToken @@ -614,7 +625,7 @@ jobs: source: ${{ steps.prepare.outputs.source }} files: ${{ steps.prepare.outputs.files }} targets: ${{ steps.prepare.outputs.target }} - sbom: ${{ inputs.sbom }} + sbom: ${{ steps.prepare.outputs.sbom }} set: ${{ steps.prepare.outputs.overrides }} env: BUILDKIT_MULTI_PLATFORM: 1 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 784525d..16f0ea6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -146,6 +146,7 @@ on: env: BUILDX_VERSION: "v0.30.1" BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available + SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0" DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0" COSIGN_VERSION: "v3.0.2" LOCAL_EXPORT_DIR: "/tmp/buildx-output" @@ -423,6 +424,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: INPUT_PLATFORM: ${{ matrix.platform }} + INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }} INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }} INPUT_ANNOTATIONS: ${{ inputs.annotations }} INPUT_CACHE: ${{ inputs.cache }} @@ -432,6 +434,7 @@ jobs: INPUT_CONTEXT: ${{ inputs.context }} INPUT_OUTPUT: ${{ inputs.output }} INPUT_PUSH: ${{ inputs.push }} + INPUT_SBOM: ${{ inputs.sbom }} INPUT_TARGET: ${{ inputs.target }} INPUT_META-IMAGES: ${{ inputs.meta-images }} INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }} @@ -445,6 +448,8 @@ jobs: const inpPlatform = core.getInput('platform'); const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : ''; core.setOutput('platform-pair-suffix', platformPairSuffix); + + const inpSbomImage = core.getInput('sbom-image'); const inpLocalExportDir = core.getInput('local-export-dir'); const inpAnnotations = core.getMultilineInput('annotations'); @@ -455,6 +460,7 @@ jobs: const inpLabels = core.getMultilineInput('labels'); const inpOutput = core.getInput('output'); const inpPush = core.getBooleanInput('push'); + const inpSbom = core.getBooleanInput('sbom'); const inpTarget = core.getInput('target'); const inpMetaImages = core.getMultilineInput('meta-images'); @@ -486,6 +492,8 @@ jobs: core.setOutput('platform', inpPlatform); } + core.setOutput('sbom', inpSbom ? `generator=${inpSbomImage}` : 'false'); + if (inpCache) { core.setOutput('cache-from', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix}`); core.setOutput('cache-to', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`); @@ -530,7 +538,7 @@ jobs: outputs: ${{ steps.prepare.outputs.output }} platforms: ${{ steps.prepare.outputs.platform }} provenance: ${{ steps.prepare.outputs.provenance }} - sbom: ${{ inputs.sbom }} + sbom: ${{ steps.prepare.outputs.sbom }} secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN shm-size: ${{ inputs.shm-size }} target: ${{ inputs.target }}