From 7c7493e709b499168d8485b2be682e53bbaad8c8 Mon Sep 17 00:00:00 2001 From: slayer321 Date: Sun, 5 Feb 2023 18:26:38 +0530 Subject: [PATCH] add sbom to assets during release also use cosign to sign the images Signed-off-by: slayer321 --- .github/workflows/ci-latest-release.yml | 41 +++++++++++++++++++++++++ .github/workflows/ci-release-sbom.yaml | 31 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 .github/workflows/ci-release-sbom.yaml diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml index 8d74a896ad..9c630d2fae 100644 --- a/.github/workflows/ci-latest-release.yml +++ b/.github/workflows/ci-latest-release.yml @@ -95,6 +95,26 @@ jobs: echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT + - name: Install Bom + shell: bash + run: | + curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom + sudo mv ./bom /usr/local/bin/bom + sudo chmod +x /usr/local/bin/bom + + - name: Generate SBOM + shell: bash + run: | + bom generate -o sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx --dirs=. \ + --image=kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} + bom generate -o sbom_kubearmor_${{ steps.digest.outputs.initdigest }}.spdx --dirs=. \ + --image=kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} + + - name: Attach SBOM to Container Image + run: | + cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} + cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.initdigest }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.initdigest }} + - name: Sign the Container Images env: COSIGN_EXPERIMENTAL: "true" @@ -158,6 +178,27 @@ jobs: echo $imagedigest echo $initdigest + - name: Install Bom + shell: bash + run: | + curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom + sudo mv ./bom /usr/local/bin/bom + sudo chmod +x /usr/local/bin/bom + + - name: Generate SBOM + shell: bash + run: | + bom generate -o sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx --dirs=. \ + --image=kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} + bom generate -o sbom_kubearmor_${{ steps.digest.outputs.initdigest }}.spdx --dirs=. \ + --image=kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} + + - name: Attach SBOM to Container Image + run: | + cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.imagedigest }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} + cosign attach sbom --sbom sbom_kubearmor_${{ steps.digest.outputs.initdigest }}.spdx kubearmor/kubearmor@${{ steps.digest.outputs.initdigest }} + + - name: Sign the Container Images env: COSIGN_EXPERIMENTAL: "true" diff --git a/.github/workflows/ci-release-sbom.yaml b/.github/workflows/ci-release-sbom.yaml new file mode 100644 index 0000000000..0f67b943d7 --- /dev/null +++ b/.github/workflows/ci-release-sbom.yaml @@ -0,0 +1,31 @@ +name: SBOM release + +on: + release: + types: [published] + +jobs: + sbom: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.ref_name }} + - name: Install Bom + shell: bash + run: | + curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom + sudo mv ./bom /usr/local/bin/bom + sudo chmod +x /usr/local/bin/bom + + - name: Generate SBOM + shell: bash + run: | + bom generate -o sbom_kubearmor.spdx --dirs=. + - name: Upload the sbom file + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release upload ${{ github.ref_name }} ./sbom_kubearmor.spdx \ No newline at end of file