secure build pipeline #184
Conversation
|
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Build and push snapshot |
There was a problem hiding this comment.
What is the use case for publishing snapshots? For dev/testing, I'd expect devs to build locally. I'm definitely open to the idea, but I'd like to document the use case.
| tags: rafttech/konfirm:${{ env.RELEASE_VERSION }} | ||
|
|
||
| - name: Generate Snapshot SBOM |
There was a problem hiding this comment.
Same comment as above regarding snapshots.
| image-ref: rafttech/konfirm:${{ github.sha }} | ||
|
|
||
| - name: Generate Release SBOM |
There was a problem hiding this comment.
SBOMs are also available via GitHub, which uses go.mod/go.sum. That wouldn't include the base image, but I wonder if that wouldn't be more accurate for Go dependencies. Can the two be merged in some way, or can Trivy include the image scan and go.mod/sum?
| image-ref: rafttech/konfirm:${{ env.RELEASE_VERSION }} | ||
|
|
||
| - name: Upload SBOM to pipeline |
There was a problem hiding this comment.
Should we upload the generated SBOM to Docker Hub? If so, can we add an attestation/signature?
No description provided.