From 4ee807db1d0e37f9f09a3ec22bf7129912f44601 Mon Sep 17 00:00:00 2001
From: Karel Van Hecke <25814162+karelvanhecke@users.noreply.github.com>
Date: Wed, 5 Jun 2024 09:22:01 +0000
Subject: [PATCH] ci: enable SBOM generation and attestation in 'Build and
 push' reusable workflow

This enables SBOM generation for the release and ci workflows.

Grype can make use of the SBOM to scan for vulnerabilities
---
 .github/workflows/build-push.yml | 25 +++++++++++++++++++++++--
 .github/workflows/ci.yml         |  8 +++++++-
 .github/workflows/release.yml    |  2 +-
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
index f294cbf..690124f 100644
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@@ -83,11 +83,32 @@ jobs:
       - name: Start podman daemon
         run: systemctl --user start podman.socket
 
-      - name: Scan image with Grype
+      - name: Generate SBOM
+        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
+        with:
+          syft-version: v1.5.0
+          image: podman:${{ steps.push.outputs.registry-path }}@${{ steps.push.outputs.digest }}
+          upload-artifact: false
+          upload-release-assets: false
+          format: json
+          output-file: ${{ inputs.image }}-${{ inputs.version }}.syft.json
+
+      - name: Create SBOM attestation
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+        run: >-
+          cosign attest --yes --key env://COSIGN_PRIVATE_KEY
+          --registry-password='${{ secrets.GITHUB_TOKEN }}'
+          --registry-username='${{ github.actor }}'
+          --predicate='${{ inputs.image }}-${{ inputs.version }}.syft.json'
+          ${{ inputs.registry }}/${{ steps.build.outputs.image }}@${{ steps.push.outputs.digest }}
+
+      - name: Scan SBOM with Grype
         uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
         id: scan
         with:
-          image: podman:${{ steps.push.outputs.registry-path }}@${{ steps.push.outputs.digest }}
+          sbom: ${{ inputs.image }}-${{ inputs.version }}.syft.json
           fail-build: false
           output-format: sarif
           only-fixed: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4e3aed1..a431c1f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -55,7 +55,13 @@ jobs:
 
           releasever=$(yq '.releasever' almalinux-bootc-version.yaml)
           echo "version=${releasever}+$GITHUB_SHA" >> "$GITHUB_OUTPUT"
-          tags="$GITHUB_REF_NAME $GITHUB_SHA"
+          tags="$GITHUB_SHA $GITHUB_REF_NAME v$releasever"
+
+          if [[ $GITHUB_REF_NAME == "main" ]]
+          then
+            tags+=" v${releasever%%.*}"
+          fi
+
           echo "tags=$tags" >> "$GITHUB_OUTPUT"
 
   build-push:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b1413e6..26289dc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,7 +36,7 @@ jobs:
 
           releasever=$(yq '.releasever' almalinux-bootc-version.yaml)
           echo "version=${GITHUB_REF_NAME#v*}" >> "$GITHUB_OUTPUT"
-          tags="${GITHUB_REF_NAME%%.*} ${GITHUB_REF_NAME%.*} ${GITHUB_REF_NAME}"
+          tags="${GITHUB_REF_NAME} ${GITHUB_REF_NAME%.*} ${GITHUB_REF_NAME%%.*}"
           echo "tags=$tags" >> "$GITHUB_OUTPUT"
 
   build-push: