ci: enable SBOM generation and attestation in 'Build and push' reusab…

…le workflow This enables SBOM generation for the release and ci workflows. Grype can make use of the SBOM to scan for vulnerabilities
karelvanhecke · Jun 5, 2024 · 4ee807d · 4ee807d
1 parent 89f4356
commit 4ee807d
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -83,11 +83,32 @@ jobs:
  - name: Start podman daemon
  run: systemctl --user start podman.socket
 
- - name: Scan image with Grype
+ - name: Generate SBOM
+ uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+ with:
+ syft-version: v1.5.0
+ image: podman:${{ steps.push.outputs.registry-path }}@${{ steps.push.outputs.digest }}
+ upload-artifact: false
+ upload-release-assets: false
+ format: json
+ output-file: ${{ inputs.image }}-${{ inputs.version }}.syft.json
+
+ - name: Create SBOM attestation
+ env:
+ COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+ COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+ run: >-
+ cosign attest --yes --key env://COSIGN_PRIVATE_KEY
+ --registry-password='${{ secrets.GITHUB_TOKEN }}'
+ --registry-username='${{ github.actor }}'
+ --predicate='${{ inputs.image }}-${{ inputs.version }}.syft.json'
+ ${{ inputs.registry }}/${{ steps.build.outputs.image }}@${{ steps.push.outputs.digest }}
+
+ - name: Scan SBOM with Grype
  uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
  id: scan
  with:
- image: podman:${{ steps.push.outputs.registry-path }}@${{ steps.push.outputs.digest }}
+ sbom: ${{ inputs.image }}-${{ inputs.version }}.syft.json
  fail-build: false
  output-format: sarif
  only-fixed: true

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -55,7 +55,13 @@ jobs:
 
  releasever=$(yq '.releasever' almalinux-bootc-version.yaml)
  echo "version=${releasever}+$GITHUB_SHA" >> "$GITHUB_OUTPUT"
- tags="$GITHUB_REF_NAME $GITHUB_SHA"
+ tags="$GITHUB_SHA $GITHUB_REF_NAME v$releasever"
+
+ if [[ $GITHUB_REF_NAME == "main" ]]
+ then
+ tags+=" v${releasever%%.*}"
+ fi
+
  echo "tags=$tags" >> "$GITHUB_OUTPUT"
 
  build-push:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -36,7 +36,7 @@ jobs:
 
  releasever=$(yq '.releasever' almalinux-bootc-version.yaml)
  echo "version=${GITHUB_REF_NAME#v*}" >> "$GITHUB_OUTPUT"
- tags="${GITHUB_REF_NAME%%.*} ${GITHUB_REF_NAME%.*} ${GITHUB_REF_NAME}"
+ tags="${GITHUB_REF_NAME} ${GITHUB_REF_NAME%.*} ${GITHUB_REF_NAME%%.*}"
  echo "tags=$tags" >> "$GITHUB_OUTPUT"
 
  build-push: