add sbom to assets during release also use cosign to sign the images

Signed-off-by: slayer321 <[email protected]>
slayer321 · Feb 5, 2023 · 7c7493e · 7c7493e
1 parent b7da6e8
commit 7c7493e
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 0 deletions.
diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
@@ -95,6 +95,26 @@ jobs:
           echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
           echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
 
+      - name: Install Bom
+        shell: bash
+        run: |
+          curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
+          sudo mv ./bom /usr/local/bin/bom
+          sudo chmod +x /usr/local/bin/bom
+      
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          bom generate -o sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx --dirs=. \
+          --image=kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }}
+          bom generate -o sbom_kubearmor_${{ steps.digest.outputs.initdigest }}.spdx --dirs=. \
+          --image=kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }}
+      
+      - name: Attach SBOM to Container Image
+        run: |
+          cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }}
+          cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.initdigest  }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.initdigest  }}
+
       - name: Sign the Container Images
         env:
           COSIGN_EXPERIMENTAL: "true"
@@ -158,6 +178,27 @@ jobs:
           echo $imagedigest 
           echo $initdigest 
 
+      - name: Install Bom
+        shell: bash
+        run: |
+          curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
+          sudo mv ./bom /usr/local/bin/bom
+          sudo chmod +x /usr/local/bin/bom
+      
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          bom generate -o sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx --dirs=. \
+          --image=kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }}
+          bom generate -o sbom_kubearmor_${{ steps.digest.outputs.initdigest }}.spdx --dirs=. \
+          --image=kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }}
+      
+      - name: Attach SBOM to Container Image
+        run: |
+          cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }}
+          cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.initdigest  }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.initdigest  }}
+
+
       - name: Sign the Container Images
         env:
           COSIGN_EXPERIMENTAL: "true"

diff --git a/.github/workflows/ci-release-sbom.yaml b/.github/workflows/ci-release-sbom.yaml
@@ -0,0 +1,31 @@
+name: SBOM release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref_name }}
+      - name: Install Bom
+        shell: bash
+        run: |
+          curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
+          sudo mv ./bom /usr/local/bin/bom
+          sudo chmod +x /usr/local/bin/bom
+      
+      - name: Generate SBOM
+        shell: bash
+        run: |
+          bom generate -o sbom_kubearmor.spdx --dirs=. 
+      - name: Upload the sbom file
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload ${{ github.ref_name }} ./sbom_kubearmor.spdx