|
42 | 42 | TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly |
43 | 43 | COSIGN_EXPERIMENTAL: "true" |
44 | 44 | run: cosign sign --yes "${TAGS}@${DIGEST}" |
| 45 | + |
| 46 | + - name: Build `build` stage for SBOM scan |
| 47 | + uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 |
| 48 | + with: |
| 49 | + file: ./Dockerfile.${{ matrix.component }} |
| 50 | + target: build |
| 51 | + platforms: linux/amd64 |
| 52 | + load: true |
| 53 | + tags: sbom-scan-${{ matrix.component }}:latest |
| 54 | + - uses: anchore/sbom-action/download-syft@36a5fde73e0fcb1d1e70be9ad66b4724e783bda7 # pinned to match Protect build-and-sign-image |
| 55 | + id: syft |
| 56 | + - name: Generate and attest CycloneDX SBOM |
| 57 | + env: |
| 58 | + DIGEST: ${{ steps.push-step.outputs.digest }} |
| 59 | + TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly |
| 60 | + SYFT_CMD: ${{ steps.syft.outputs.cmd }} |
| 61 | + COMPONENT: ${{ matrix.component }} |
| 62 | + COSIGN_EXPERIMENTAL: "true" |
| 63 | + run: | |
| 64 | + set -euo pipefail |
| 65 | + # scope to the alpine package db only |
| 66 | + "${SYFT_CMD}" "docker:sbom-scan-${COMPONENT}:latest" \ |
| 67 | + --override-default-catalogers apk-db-cataloger \ |
| 68 | + --select-catalogers "-file" \ |
| 69 | + --source-name "${COMPONENT}" \ |
| 70 | + -o "cyclonedx-json=${COMPONENT}.cdx.json" |
| 71 | + jq -e '.bomFormat == "CycloneDX" and ((.components // []) | length > 0)' \ |
| 72 | + "${COMPONENT}.cdx.json" >/dev/null \ |
| 73 | + || { echo "::error::SBOM for ${COMPONENT} is empty or invalid"; exit 1; } |
| 74 | + jq '{component: env.COMPONENT, components: (.components | length)}' \ |
| 75 | + "${COMPONENT}.cdx.json" |
| 76 | + cosign attest --yes --type cyclonedx \ |
| 77 | + --predicate "${COMPONENT}.cdx.json" \ |
| 78 | + "${TAGS}@${DIGEST}" |
0 commit comments