.github/workflows/bake.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -139,6 +139,7 @@ on:
  
    env:

      BUILDX_VERSION: "v0.30.1"

      BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available

      SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"

      DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"

      COSIGN_VERSION: "v3.0.2"

      LOCAL_EXPORT_DIR: "/tmp/buildx-output"

    @@ -165,6 +166,7 @@ jobs:
  
            id: set

            uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

            env:

              INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}

              INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}

              INPUT_RUNNER: ${{ inputs.runner }}

              INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}

    @@ -184,6 +186,7 @@ jobs:
  
                const { GitHub } = require('@docker/actions-toolkit/lib/github');

                const { Util } = require('@docker/actions-toolkit/lib/util');

                const inpSbomImage = core.getInput('sbom-image');

                const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);

                const inpRunner = core.getInput('runner');

    @@ -236,7 +239,7 @@ jobs:
  
                    def = await bake.getDefinition({

                      files: inpFiles,

                      overrides: inpSet,

                      sbom: inpSbom ? 'true' : 'false',

                      sbom: inpSbom ? `generator=${inpSbomImage}` : 'false',

                      source: bakeSource,

                      targets: [inpTarget],

                      githubToken: inpGitHubToken

    @@ -462,6 +465,7 @@ jobs:
  
            uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0

            env:

              INPUT_PLATFORM: ${{ matrix.platform }}

              INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}

              INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}

              INPUT_CACHE: ${{ inputs.cache }}

              INPUT_CACHE-SCOPE: ${{ inputs.cache-scope }}

    @@ -491,6 +495,7 @@ jobs:
  
                const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : '';

                core.setOutput('platform-pair-suffix', platformPairSuffix);

                const inpSbomImage = core.getInput('sbom-image');

                const inpLocalExportDir = core.getInput('local-export-dir');

                const inpCache = core.getBooleanInput('cache');

    @@ -517,14 +522,20 @@ jobs:
  
                  core.setOutput('source', bakeSource);

                });

                const sbom = inpSbom ? `generator=${inpSbomImage}` : 'false';

                await core.group(`Set sbom`, async () => {

                  core.info(sbom);

                  core.setOutput('sbom', sbom);

                });

                let target;

                try {

                  await core.group(`Validating definition`, async () => {

                    const bake = new Bake();

                    const def = await bake.getDefinition({

                      files: inpFiles,

                      overrides: inpSet,

                      sbom: inpSbom ? 'true' : 'false',

                      sbom: sbom,

                      source: bakeSource,

                      targets: [inpTarget],

                      githubToken: inpGitHubToken

    @@ -614,7 +625,7 @@ jobs:
  
              source: ${{ steps.prepare.outputs.source }}

              files: ${{ steps.prepare.outputs.files }}

              targets: ${{ steps.prepare.outputs.target }}

              sbom: ${{ inputs.sbom }}

              sbom: ${{ steps.prepare.outputs.sbom }}

              set: ${{ steps.prepare.outputs.overrides }}

            env:

              BUILDKIT_MULTI_PLATFORM: 1

.github/workflows/build.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -146,6 +146,7 @@ on: @@
     env:
       BUILDX_VERSION: "v0.30.1"
       BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
+      SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
       DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
       COSIGN_VERSION: "v3.0.2"
       LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ Expand Down Expand Up / @@ -423,6 +424,7 @@ jobs: @@
             uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
             env:
               INPUT_PLATFORM: ${{ matrix.platform }}
+              INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
               INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
               INPUT_ANNOTATIONS: ${{ inputs.annotations }}
               INPUT_CACHE: ${{ inputs.cache }}
@@ Expand All / @@ -432,6 +434,7 @@ jobs: @@
               INPUT_CONTEXT: ${{ inputs.context }}
               INPUT_OUTPUT: ${{ inputs.output }}
               INPUT_PUSH: ${{ inputs.push }}
+              INPUT_SBOM: ${{ inputs.sbom }}
               INPUT_TARGET: ${{ inputs.target }}
               INPUT_META-IMAGES: ${{ inputs.meta-images }}
               INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }}
@@ Expand All / @@ -445,6 +448,8 @@ jobs: @@
                 const inpPlatform = core.getInput('platform');
                 const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : '';
                 core.setOutput('platform-pair-suffix', platformPairSuffix);
+                const inpSbomImage = core.getInput('sbom-image');
                 const inpLocalExportDir = core.getInput('local-export-dir');
                 const inpAnnotations = core.getMultilineInput('annotations');
@@ Expand All / @@ -455,6 +460,7 @@ jobs: @@
                 const inpLabels = core.getMultilineInput('labels');
                 const inpOutput = core.getInput('output');
                 const inpPush = core.getBooleanInput('push');
+                const inpSbom = core.getBooleanInput('sbom');
                 const inpTarget = core.getInput('target');
                 const inpMetaImages = core.getMultilineInput('meta-images');
@@ Expand Down Expand Up / @@ -486,6 +492,8 @@ jobs: @@
                   core.setOutput('platform', inpPlatform);
                 }
+                core.setOutput('sbom', inpSbom ? `generator=${inpSbomImage}` : 'false');
                 if (inpCache) {
                   core.setOutput('cache-from', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix}`);
                   core.setOutput('cache-to', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`);
@@ Expand Down Expand Up / @@ -530,7 +538,7 @@ jobs: @@
               outputs: ${{ steps.prepare.outputs.output }}
               platforms: ${{ steps.prepare.outputs.platform }}
               provenance: ${{ steps.prepare.outputs.provenance }}
-              sbom: ${{ inputs.sbom }}
+              sbom: ${{ steps.prepare.outputs.sbom }}
               secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
               shm-size: ${{ inputs.shm-size }}
               target: ${{ inputs.target }}
@@ Expand Down @@

pin buildkit syft scanner image #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

crazy-max merged 1 commit into docker:main from crazy-max:pin-sbom-image

Jan 9, 2026

-Original file line number
+Diff line change
@@ Expand Up / @@ -146,6 +146,7 @@ on: @@
     env:
       BUILDX_VERSION: "v0.30.1"
       BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
+      SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
       DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
       COSIGN_VERSION: "v3.0.2"
       LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ Expand Down Expand Up / @@ -423,6 +424,7 @@ jobs: @@
             uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
             env:
               INPUT_PLATFORM: ${{ matrix.platform }}
+              INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
               INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
               INPUT_ANNOTATIONS: ${{ inputs.annotations }}
               INPUT_CACHE: ${{ inputs.cache }}
@@ Expand All / @@ -432,6 +434,7 @@ jobs: @@
               INPUT_CONTEXT: ${{ inputs.context }}
               INPUT_OUTPUT: ${{ inputs.output }}
               INPUT_PUSH: ${{ inputs.push }}
+              INPUT_SBOM: ${{ inputs.sbom }}
               INPUT_TARGET: ${{ inputs.target }}
               INPUT_META-IMAGES: ${{ inputs.meta-images }}
               INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }}
@@ Expand All / @@ -445,6 +448,8 @@ jobs: @@
                 const inpPlatform = core.getInput('platform');
                 const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : '';
                 core.setOutput('platform-pair-suffix', platformPairSuffix);
+                const inpSbomImage = core.getInput('sbom-image');
                 const inpLocalExportDir = core.getInput('local-export-dir');
                 const inpAnnotations = core.getMultilineInput('annotations');
@@ Expand All / @@ -455,6 +460,7 @@ jobs: @@
                 const inpLabels = core.getMultilineInput('labels');
                 const inpOutput = core.getInput('output');
                 const inpPush = core.getBooleanInput('push');
+                const inpSbom = core.getBooleanInput('sbom');
                 const inpTarget = core.getInput('target');
                 const inpMetaImages = core.getMultilineInput('meta-images');
@@ Expand Down Expand Up / @@ -486,6 +492,8 @@ jobs: @@
                   core.setOutput('platform', inpPlatform);
                 }
+                core.setOutput('sbom', inpSbom ? `generator=${inpSbomImage}` : 'false');
                 if (inpCache) {
                   core.setOutput('cache-from', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix}`);
                   core.setOutput('cache-to', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`);
@@ Expand Down Expand Up / @@ -530,7 +538,7 @@ jobs: @@
               outputs: ${{ steps.prepare.outputs.output }}
               platforms: ${{ steps.prepare.outputs.platform }}
               provenance: ${{ steps.prepare.outputs.provenance }}
-              sbom: ${{ inputs.sbom }}
+              sbom: ${{ steps.prepare.outputs.sbom }}
               secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
               shm-size: ${{ inputs.shm-size }}
               target: ${{ inputs.target }}
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pin buildkit syft scanner image #76

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!