Skip to content

Add workflow code to generate SBOMs and upload them to the release/pre-release #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jsf9k wants to merge 15 commits into
base: develop
Choose a base branch
from
+140 −2
Open

Add workflow code to generate SBOMs and upload them to the release/pre-release #266

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
54c9cf3
Add code to generate SBOMs and attach them to the release as assets
jsf9k Jan 19, 2026
d468cce
Generate SBOMs for both the ARM64 and AMD64 architectures
jsf9k Jan 21, 2026
235593d
Add (commented out) Dependabot ignore directives for SBOM-related act…
jsf9k Jan 21, 2026
516e839
Manipulate the repo name and use that in the SBOM file name
jsf9k Jan 26, 2026
9452d9a
Upgrade to the latest release of the check-jsonschema pre-commit hook
jsf9k Jan 26, 2026
6b1cd78
Alphabetize
jsf9k Jan 26, 2026
163c808
Add a comment explaining why an if statement is present
jsf9k Jan 27, 2026
d06628e
Make use of matrix.architecture to ensure the correct image is pulled
jsf9k Feb 13, 2026
20057e3
Log into Docker Hub before pulling the image to generate the SBOM
jsf9k Feb 13, 2026
cbb10da
Use the fully-qualified (including container repo) image name
jsf9k Feb 13, 2026
07d8ab8
Upgrade to the latest name and version for the attestation action
jsf9k Mar 9, 2026
caefcf9
Update code to use the digest of the image upload
jsf9k Mar 9, 2026
3414b32
Add provenance attestation for SBOM
jsf9k Mar 10, 2026
ccf97fb
Add provenance attestation for distribution
jsf9k Mar 10, 2026
0432fe7
Pare down permissions
jsf9k Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,10 @@ updates:
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
# Managed by cisagov/skeleton-docker
# - dependency-name: actions/attest
# - dependency-name: actions/download-artifact
# - dependency-name: actions/upload-artifact
# - dependency-name: anchore/sbom-action
# - dependency-name: aquasecurity/trivy-action
# - dependency-name: docker/build-push-action
# - dependency-name: docker/login-action
Expand Down
126 changes: 126 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,8 @@ jobs:
- prepare
- scan
- test
outputs:
digest: ${{ steps.docker_push.outputs.digest }}
permissions:
# actions/checkout needs this to fetch code
contents: read
Expand Down Expand Up @@ -607,3 +609,127 @@ jobs:
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
generate-sbom:
# Generate an SBOM for the Docker image and, if there is a
# release, upload it as an asset to the release.
#
# This job is located in this workflow as opposed to a separate
# release workflow because it can only run after the
# build-push-all job. Putting it in a separate workflow would
# require us to introduce a dependency of the release workflow on
# this one.
#
# This if statement is present to keep the push and pull_request
# events from both causing the job to be run.
if: github.event_name != 'pull_request'
name: Generate and upload SBOM
needs:
- build-push-all
- diagnostics
- repo-metadata
permissions:
# Allows us to read the SBOM artifact
actions: read
# Necessary to create the artifact storage record
artifact-metadata: write
attestations: write
# Allows us to add the SBOM to the release
contents: write
# Allows the workflow to mint the OIDC token necessary to
# request a Sigstore signing certificate.
id-token: write
# Necessary to push the SBOM attestation to ghcr.io
packages: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
registry:
- docker.io
- ghcr.io
sbom-format:
- cyclonedx-json
- spdx-json
steps:
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-docker#224 for more details.
monitor_permissions: "false"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- name: Manipulate the ref name into the format that Docker prefers
id: dockerize-ref-name
run: |
DOCKERIZED_REF=$(echo "${{ github.ref_name}}" \
| tr '[:upper:]' '[:lower:]' \
| tr '/' '-')
echo "ref=${DOCKERIZED_REF}" >> $GITHUB_OUTPUT
- name: Manipulate the repo name into the preferred format
id: manipulate-repo-name
run: |
NEW_NAME=$(echo "${{ github.repository}}" \
| tr '[:upper:]' '[:lower:]' \
| tr '/ ' '-')
echo "repo-name=${NEW_NAME}" >> $GITHUB_OUTPUT
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
password: ${{ secrets.DOCKER_PASSWORD }}
username: ${{ secrets.DOCKER_USERNAME }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
username: ${{ github.actor }}
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
artifact-name: >-
${{ steps.manipulate-repo-name.outputs.repo-name
}}.${{ matrix.registry }}.${{ matrix.sbom-format }}
format: ${{ matrix.sbom-format }}
image: >-
${{ matrix.registry }}/${{ needs.repo-metadata.outputs.image-name
}}:${{ steps.dockerize-ref-name.outputs.ref }}
output-file: >-
${{ steps.manipulate-repo-name.outputs.repo-name
}}.${{ matrix.registry }}.${{ matrix.sbom-format }}
- name: Create provenance attestation for SBOM
uses: actions/attest@v4
with:
subject-path: >-
${{ steps.manipulate-repo-name.outputs.repo-name
}}.${{ matrix.registry }}.${{ matrix.sbom-format }}
- name: Create SBOM attestation for Docker image
uses: actions/attest@v4
with:
push-to-registry: true
sbom-path: >-
${{ steps.manipulate-repo-name.outputs.repo-name
}}.${{ matrix.registry }}.${{ matrix.sbom-format }}
subject-digest: >-
${{ needs.build-push-all.outputs.digest }}
subject-name: >-
${{ matrix.registry
}}/${{ needs.repo-metadata.outputs.image-name }}
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.35.0
rev: 0.36.1
hooks:
- id: check-github-actions
- id: check-github-workflows
Expand Down
Loading