Skip to content

Commit b1c2856

Browse files
committed
feat(build): attested sbom
1 parent 64c06ca commit b1c2856

1 file changed

Lines changed: 34 additions & 0 deletions

File tree

.github/workflows/nightly.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,3 +42,37 @@ jobs:
4242
TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly
4343
COSIGN_EXPERIMENTAL: "true"
4444
run: cosign sign --yes "${TAGS}@${DIGEST}"
45+
46+
- name: Build `build` stage for SBOM scan
47+
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
48+
with:
49+
file: ./Dockerfile.${{ matrix.component }}
50+
target: build
51+
platforms: linux/amd64
52+
load: true
53+
tags: sbom-scan-${{ matrix.component }}:latest
54+
- uses: anchore/sbom-action/download-syft@36a5fde73e0fcb1d1e70be9ad66b4724e783bda7 # pinned to match Protect build-and-sign-image
55+
id: syft
56+
- name: Generate and attest CycloneDX SBOM
57+
env:
58+
DIGEST: ${{ steps.push-step.outputs.digest }}
59+
TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly
60+
SYFT_CMD: ${{ steps.syft.outputs.cmd }}
61+
COMPONENT: ${{ matrix.component }}
62+
COSIGN_EXPERIMENTAL: "true"
63+
run: |
64+
set -euo pipefail
65+
# scope to the alpine package db only
66+
"${SYFT_CMD}" "docker:sbom-scan-${COMPONENT}:latest" \
67+
--override-default-catalogers apk-db-cataloger \
68+
--select-catalogers "-file" \
69+
--source-name "${COMPONENT}" \
70+
-o "cyclonedx-json=${COMPONENT}.cdx.json"
71+
jq -e '.bomFormat == "CycloneDX" and ((.components // []) | length > 0)' \
72+
"${COMPONENT}.cdx.json" >/dev/null \
73+
|| { echo "::error::SBOM for ${COMPONENT} is empty or invalid"; exit 1; }
74+
jq '{component: env.COMPONENT, components: (.components | length)}' \
75+
"${COMPONENT}.cdx.json"
76+
cosign attest --yes --type cyclonedx \
77+
--predicate "${COMPONENT}.cdx.json" \
78+
"${TAGS}@${DIGEST}"

0 commit comments

Comments
 (0)