cisagov · jsf9k · Jan 19, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 26, 2026
@@ -33,8 +33,10 @@ updates:
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
       # Managed by cisagov/skeleton-docker
+      # - dependency-name: actions/attest-build-provenance
       # - dependency-name: actions/download-artifact
       # - dependency-name: actions/upload-artifact
+      # - dependency-name: anchore/sbom-action
       # - dependency-name: aquasecurity/trivy-action
       # - dependency-name: docker/build-push-action
       # - dependency-name: docker/login-action

@@ -607,3 +607,110 @@ jobs:
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
+  generate-sbom:
+    # Generate an SBOM for the Docker image and, if there is a
+    # release, upload it as an asset to the release.
+    #
+    # This job is located in this workflow as opposed to a separate
+    # release workflow because it can only run after the
+    # build-push-all job.  Putting it in a separate workflow would
+    # require us to introduce a dependency of the release workflow on
+    # this one.
+    #
+    # This if statement is present to keep the push and pull_request
+    # events from both causing the job to be run.
+    if: github.event_name != 'pull_request'
+    name: Generate and upload SBOM
+    needs:
+      - build-push-all
+      - diagnostics
+      - repo-metadata
+    permissions:
+      # Allows us to read the SBOM artifact
+      actions: read
+      artifact-metadata: write
+      attestations: write
+      # Allows us to add the SBOM to the release
+      contents: write
+      # Allows the workflow to mint the OIDC token necessary to
+      # request a Sigstore signing certificate.
+      id-token: write
+    # This line is long, but if I use a block style indicator then GH
+    # Actions doesn't parse and execute the expression.
+    # yamllint disable-line rule:line-length
+    runs-on: ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - amd64
+          - arm64
+        sbom-format:
+          - cyclonedx-json
+          - spdx-json
+    steps:
+      - name: Apply standard cisagov job preamble
+        uses: cisagov/action-job-preamble@v1
+        with:
+          # This functionality is poorly implemented and has been
+          # causing problems due to the MITM implementation hogging or
+          # leaking memory.  As a result we disable it by default.  If
+          # you want to temporarily enable it, simply set
+          # monitor_permissions equal to "true".
+          #
+          # TODO: Re-enable this functionality when practical.  See
+          # cisagov/skeleton-docker#224 for more details.
+          monitor_permissions: "false"
+          # Use a variable to specify the permissions monitoring
+          # configuration. By default this will yield the
+          # configuration stored in the cisagov organization-level
+          # variable, but if you want to use a different configuration
+          # then simply:
+          # 1. Create a repository-level variable with the name
+          # ACTIONS_PERMISSIONS_CONFIG.
+          # 2. Set this new variable's value to the configuration you
+          # want to use for this repository.
+          #
+          # Note in particular that changing the permissions
+          # monitoring configuration *does not* require you to modify
+          # this workflow.
+          permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      - name: Manipulate the ref name into the format that Docker prefers
+        id: dockerize-ref-name
+        run: |
+          DOCKERIZED_REF=$(echo "${{ github.ref_name}}" \
+          | tr '[:upper:]' '[:lower:]' \
+          | tr '/' '-')
+          echo "ref=${DOCKERIZED_REF}" >> $GITHUB_OUTPUT
+      - name: Manipulate the repo name into the preferred format
+        id: manipulate-repo-name
+        run: |
+          NEW_NAME=$(echo "${{ github.repository}}" \
+          | tr '[:upper:]' '[:lower:]' \
+          | tr '/ ' '-')
+          echo "repo-name=${NEW_NAME}" >> $GITHUB_OUTPUT
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: >-
+            ${{ steps.manipulate-repo-name.outputs.repo-name }}.${{
+            matrix.architecture }}.${{ matrix.sbom-format }}
+          format: ${{ matrix.sbom-format }}
+          image: >-
+            docker.io/${{ needs.repo-metadata.outputs.image-name
+            }}:${{ steps.dockerize-ref-name.outputs.ref }}
+          platform: linux/${{ matrix.architecture }}
+          output-file: >-
+            ${{ steps.manipulate-repo-name.outputs.repo-name }}.${{
+            matrix.architecture }}.${{ matrix.sbom-format }}
+      - name: Attest build provenance for the SBOM
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: >-
+            ${{ steps.manipulate-repo-name.outputs.repo-name }}.${{
+            matrix.architecture }}.${{ matrix.sbom-format }}
@@ -65,7 +65,7 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.35.0
+    rev: 0.36.1
     hooks:
       - id: check-github-actions
       - id: check-github-workflows