Skip to content

Add workflow code to generate SBOMs and upload them to the release/pre-release#266

Open
jsf9k wants to merge 15 commits intodevelopfrom
feature/add-sbom
Open

Add workflow code to generate SBOMs and upload them to the release/pre-release#266
jsf9k wants to merge 15 commits intodevelopfrom
feature/add-sbom

Conversation

@jsf9k
Copy link
Member

@jsf9k jsf9k commented Jan 20, 2026
edited
Loading

🗣 Description

This pull request:

  • Adds workflow code to generate SBOMs for the Docker images
  • If we happen to be building a release or pre-release then the SBOMs will be uploaded to the release or pre-release.
  • Adds workflow code to create provenance attestations for the SBOMs and the Docker image artifact
  • Adds workflow code to create SBOM attestations for the Docker images

💭 Motivation and context

CISA advocates for the use of SBOMs, so we should be generating them for our software products.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Mark SBOM checks as required.

@jsf9k jsf9k self-assigned this Jan 20, 2026
@jsf9k jsf9k moved this to In Progress in Next Kraken Jan 20, 2026
@jsf9k
Copy link
Member Author

jsf9k commented Jan 20, 2026

Note that the lint job should pass once SchemaStore/schemastore#5292 is merged and python-jsonschema/check-jsonschema#638 is resolved.

@github-actions github-actions bot added the github-actions Pull requests that update GitHub Actions code label Jan 20, 2026
@jsf9k jsf9k force-pushed the feature/add-sbom branch 9 times, most recently from dd335f9 to d01a5b8 Compare January 21, 2026 04:10
jsf9k added 2 commits January 20, 2026 23:59
@jsf9k
Add (commented out) Dependabot ignore directives for SBOM-related act…
235593d 
…ions
@jsf9k
Manipulate the repo name and use that in the SBOM file name
516e839 
Thus our SBOMs are named, e.g.,
cisagov-skeleton-docker.amd64.spdx-json rather than
sbom.amd64.spdx-json.
@jsf9k
Upgrade to the latest release of the check-jsonschema pre-commit hook
9452d9a 
The latest release supports the artifact-metadata permission that we
are now using in the generate-sbom job of the build.yml GitHub Actions
workflow.
@github-actions github-actions bot added dependencies Pull requests that update a dependency file documentation This issue or pull request improves or adds to documentation version bump This issue or pull request increments the version number labels Jan 26, 2026
@jsf9k jsf9k removed documentation This issue or pull request improves or adds to documentation version bump This issue or pull request increments the version number labels Jan 26, 2026
jsf9k added 2 commits February 13, 2026 14:35
@jsf9k
Log into Docker Hub before pulling the image to generate the SBOM
20057e3 
This reduces the chance that Docker Hub rate limits our request.
@jsf9k
Use the fully-qualified (including container repo) image name
cbb10da 
In this case we want to pull the image from Docker Hub.
@github-actions github-actions bot added documentation This issue or pull request improves or adds to documentation version bump This issue or pull request increments the version number labels Feb 13, 2026
@jsf9k jsf9k requested a review from dav3r February 13, 2026 20:11
@jsf9k jsf9k removed documentation This issue or pull request improves or adds to documentation version bump This issue or pull request increments the version number labels Feb 13, 2026
@jsf9k
Upgrade to the latest name and version for the attestation action
07d8ab8 
Note that actions/attest-build-provenance has changed its name to
actions/attest, partly because it now supports different types of
attestations.  One such type is an SBOM attestation, which we are now
using here.
@jsf9k jsf9k force-pushed the feature/add-sbom branch 7 times, most recently from be1d7c1 to 9c2d344 Compare March 10, 2026 14:11
@jsf9k jsf9k force-pushed the feature/add-sbom branch from 9c2d344 to 3414b32 Compare March 10, 2026 14:30
@jsf9k jsf9k force-pushed the feature/add-sbom branch 2 times, most recently from 1503b23 to 7eb4b41 Compare March 10, 2026 17:38
@jsf9k jsf9k force-pushed the feature/add-sbom branch from 7eb4b41 to ccf97fb Compare March 10, 2026 17:41
@jsf9k jsf9k requested a review from Copilot March 10, 2026 18:57
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jsf9k
Pare down permissions
0432fe7 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dav3r dav3r dav3r approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@jsf9k jsf9k

Labels

dependencies Pull requests that update a dependency file github-actions Pull requests that update GitHub Actions code

Projects

Next Kraken
Status: In Progress
Skeleton Maintenance
Status: Review in progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsf9k @dav3r