Skip to content

TT-16964 - remove sbom job from release workflow #962

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bsten-tyk merged 5 commits into from
Apr 14, 2026
Merged

TT-16964 - remove sbom job from release workflow #962

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
49fb826
fix: remove sbom job from release workflow
bsten-tyk Apr 14, 2026
30db97a
fix: use go install instead of go run for goimports in ci-test
bsten-tyk Apr 14, 2026
0c40900
fix: upgrade gotestsum to v1.13.0 for Go 1.25 compatibility
bsten-tyk Apr 14, 2026
a290647
fix: use multi-platform manifest list digests in Dockerfile.distroless
bsten-tyk Apr 14, 2026
c2444a0
fix: use unpinned tags in Dockerfile.distroless per code review
bsten-tyk Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
- master

permissions:
contents: read

Check warning on line 10 in .github/workflows/ci-test.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this read permission from workflow level to job level. 


See more on https://sonarcloud.io/project/issues?id=TykTechnologies_tyk-pump&issues=AZ2LTXCrXJkIqGYU4kIy&open=AZ2LTXCrXJkIqGYU4kIy&pullRequest=962

env:
TYK_PMP_ANALYTICSSTORAGETYPE: redis
Expand Down Expand Up @@ -64,7 +64,7 @@
- name: Install Dependencies and basic hygiene test
id: hygiene
run: |
go run golang.org/x/tools/cmd/goimports@v0.33.0 -l .
go install golang.org/x/tools/cmd/goimports@v0.33.0

Check failure on line 67 in .github/workflows/ci-test.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The `goimports` hygiene check has been effectively disabled. The command was changed from `go run ... -l .`, which executes the check, to `go install ...`, which only installs the tool. This silently removes a code quality gate from the CI pipeline, which is an architectural regression.
Raw output 
The step should be modified to both install `goimports` (to make it available for later scripts) and execute the formatting check. The check should fail the job if any files need reformatting. For example:
```yaml
run: |
  go install golang.org/x/tools/cmd/goimports@v0.33.0
  if [ -n "$(goimports -l .)" ]; then
    echo "goimports found formatting issues"
    exit 1
  fi
```

Check warning on line 67 in .github/workflows/ci-test.yml

View check run for this annotation

probelabs / Visor: security

architecture Issue 

The `goimports` command was changed from `go run ... -l .` to `go install ...`. The original command checked for formatting issues and would fail the build if any were found. The new command only installs the tool, effectively disabling the formatting check at this stage of the CI pipeline.
Raw output 
Restore the formatting check. After installing the tool, add a step to run it with the `-l` flag and fail the job if it produces any output. This ensures that code formatting is consistently enforced.

- name: Fetch base branch
if: ${{ github.event_name == 'pull_request' }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/linter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

permissions:
contents: read
checks: write

Check warning on line 15 in .github/workflows/linter.yaml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this write permission from workflow level to job level. 


See more on https://sonarcloud.io/project/issues?id=TykTechnologies_tyk-pump&issues=AZ2LTXDkXJkIqGYU4kIz&open=AZ2LTXDkXJkIqGYU4kIz&pullRequest=962

env:
TYK_PMP_ANALYTICSSTORAGETYPE: redis
Expand Down Expand Up @@ -61,7 +61,7 @@
run: |
PKGS="$(go list ./...)"
OPTS="-count=1 -failfast -v"
GOTESTSUM="go run gotest.tools/gotestsum@v1.12.1"
GOTESTSUM="go run gotest.tools/gotestsum@v1.13.0"

for pkg in ${PKGS}; do
tags=""
Expand Down
7 changes: 0 additions & 7 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
- 'v*'

permissions:
contents: read

Check warning on line 27 in .github/workflows/release.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this read permission from workflow level to job level. 


See more on https://sonarcloud.io/project/issues?id=TykTechnologies_tyk-pump&issues=AZ2LTXELXJkIqGYU4kI0&open=AZ2LTXELXJkIqGYU4kI0&pullRequest=962

env:
GOPRIVATE: github.com/TykTechnologies
Expand Down Expand Up @@ -513,12 +513,5 @@
RHELARCH=${{ startsWith(matrix.arch, 'arm64') && 'aarch64' || 'x86_64' }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: Dockerfile
push: false
sbom:
needs: goreleaser
uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@d3fa20888fa2878e877e22bb7702141217290e7c # main
secrets:
DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
4 changes: 2 additions & 2 deletions ci/Dockerfile.distroless
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Generated by: gromit policy

FROM debian:trixie-slim@sha256:edc9450a9fe37d30b508808052f8d0564e3ed9eaf565e043c6f5632957f7381e AS deb
FROM debian:trixie-slim AS deb

Check failure on line 3 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: security

security Issue 

The base Docker image `debian:trixie-slim` is no longer pinned to a specific SHA256 digest. Using a floating tag (like `trixie-slim`) makes the build non-reproducible and vulnerable to tag mutation attacks, where the tag could be maliciously updated to point to a compromised image.
Raw output 
To ensure build integrity and security, pin the base image to a multi-platform manifest list digest. You can find the correct digest using a command like `docker buildx imagetools inspect debian:trixie-slim` and then append it to the image name (e.g., `debian:trixie-slim@sha256:...`).
ARG TARGETARCH
ARG BUILD_PACKAGE_NAME

Expand All @@ -9,8 +9,8 @@
# The _ after the pkg name is to match tyk-gateway strictly and not tyk-gateway-fips (for example)
COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb && rm /*.deb

Check warning on line 12 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The Dockerfile base images are no longer pinned by digest. While removing the previous single-platform digests fixes the multi-architecture build, it sacrifices build reproducibility and security by relying on mutable tags. The architectural best practice is to pin to a multi-platform manifest list digest.
Raw output 
Identify the multi-arch manifest list digests for `debian:trixie-slim` and `gcr.io/distroless/static-debian12:nonroot` and update the `FROM` instructions to use them. This can be done using a tool like `docker buildx imagetools inspect <image>:<tag>`.

Check warning on line 12 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: performance

performance Issue 

Base images in the Dockerfile are specified using floating tags (`debian:trixie-slim` on line 3 and `gcr.io/distroless/static-debian12:nonroot` on line 12) instead of pinned digests. While this change was necessary to enable multi-architecture builds, it can degrade build performance. Using floating tags can lead to build cache misses if the base image is updated, as Docker will pull the new version and rebuild subsequent layers. This increases build times and makes builds non-deterministic.
Raw output 
To improve build performance and ensure reproducibility, pin the base images to their multi-platform manifest list digest. This provides the required multi-architecture support while guaranteeing that the build cache is leveraged effectively. You can obtain the correct digest by running `docker buildx imagetools inspect <image>:<tag>`.

Check failure on line 12 in ci/Dockerfile.distroless

View check run for this annotation

probelabs / Visor: security

security Issue 

The base Docker image `gcr.io/distroless/static-debian12:nonroot` is no longer pinned to a specific SHA256 digest. Using a floating tag makes the build non-reproducible and vulnerable to tag mutation attacks, where the tag could be maliciously updated to point to a compromised image.
Raw output 
To ensure build integrity and security, pin the base image to a multi-platform manifest list digest. You can find the correct digest using a command like `docker buildx imagetools inspect gcr.io/distroless/static-debian12:nonroot` and then append it to the image name (e.g., `gcr.io/distroless/static-debian12:nonroot@sha256:...`).
FROM gcr.io/distroless/static-debian12:nonroot@sha256:5074667eecabac8ac5c5d395100a153a7b4e8426181cca36181cd019530f00c8
FROM gcr.io/distroless/static-debian12:nonroot
Copy link
Copy Markdown
Collaborator

@asutosh asutosh Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can move to debian 13 here, as with nonroot static images, there shouldn't be no issue with bumping debian version. (No GLIBC)


COPY --from=deb /opt/tyk-pump /opt/tyk-pump

Expand Down
Loading