feat: add SBOM generation and attestation to GitHub workflow (#17277)

Move SBOM generation and attestation to GitHub workflow

This PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change:

1. Removes SBOM generation and attestation from the `build_docker.sh` script
2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow
3. Generates and attests SBOMs for both multi-arch images and latest tags when applicable

This approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately.

Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f
Signed-off-by: Thomas Kosiewski <tk@coder.com>
This commit is contained in:
Thomas Kosiewski
2025-04-07 17:54:05 +02:00
committed by GitHub
parent fc471eb384
commit f48a24c18e
3 changed files with 88 additions and 19 deletions

View File

@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
docker push "$image_tag" 1>&2
fi
log "--- Generating SBOM for Docker image ($image_tag)"
syft "$image_tag" -o spdx-json >"${image_tag//[:\/]/_}.spdx.json"
if [[ "$push" == 1 ]]; then
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
--predicate "${image_tag//[:\/]/_}.spdx.json" \
--yes \
"$image_tag"
fi
# SBOM generation and attestation moved to the GitHub workflow
echo "$image_tag"