mirror of
https://github.com/coder/coder.git
synced 2025-07-09 11:45:56 +00:00
feat: add SBOM generation and attestation to GitHub workflow (#17277)
Move SBOM generation and attestation to GitHub workflow This PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change: 1. Removes SBOM generation and attestation from the `build_docker.sh` script 2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow 3. Generates and attests SBOMs for both multi-arch images and latest tags when applicable This approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately. Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f Signed-off-by: Thomas Kosiewski <tk@coder.com>
This commit is contained in:
@ -153,17 +153,6 @@ if [[ "$push" == 1 ]]; then
|
||||
docker push "$image_tag" 1>&2
|
||||
fi
|
||||
|
||||
log "--- Generating SBOM for Docker image ($image_tag)"
|
||||
syft "$image_tag" -o spdx-json >"${image_tag//[:\/]/_}.spdx.json"
|
||||
|
||||
if [[ "$push" == 1 ]]; then
|
||||
log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
|
||||
COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
|
||||
|
||||
COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
|
||||
--predicate "${image_tag//[:\/]/_}.spdx.json" \
|
||||
--yes \
|
||||
"$image_tag"
|
||||
fi
|
||||
# SBOM generation and attestation moved to the GitHub workflow
|
||||
|
||||
echo "$image_tag"
|
||||
|
Reference in New Issue
Block a user