wip

tarilabs · tarilabs · commit 693635f59aa3 · 2025-09-12T10:16:57.000+02:00
Signed-off-by: Matteo Mortari &lt;matteo.mortari@gmail.com&gt;
diff --git a/.github/workflows/build-and-push-async-upload.yml b/.github/workflows/build-and-push-async-upload.yml
@@ -13,6 +13,7 @@ on:
       - '!**.gitignore'
       - '!**.md'
       - '!**.txt'
+      - '.github/workflows/build-and-push-async-upload.yml' # self
 
 env:
   IMG_REGISTRY: ghcr.io
@@ -64,3 +65,5 @@ jobs:
           ${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_NAME }}:main
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        provenance: mode=max # pay attention no secrets are passed as build arguments: https://docs.docker.com/build/ci/github-actions/attestations/#default-provenance:~:text=don%27t%20support%20attestations.-,Warning,-If%20you%27re%20using
+        sbom: true
diff --git a/.github/workflows/build-and-push-csi-image.yml b/.github/workflows/build-and-push-csi-image.yml
@@ -13,6 +13,8 @@ on:
       - '.github/ISSUE_TEMPLATE/**'
       - '.github/dependabot.yml'
       - 'docs/**'
+permissions: # default workflow permission, overridden for specific job where required
+  contents: read
 env:
   IMG_REGISTRY: ghcr.io
   IMG_ORG: kubeflow
@@ -24,7 +26,8 @@ jobs:
   build-csi-image:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      actions: read # anchore/sbom-action for syft
+      contents: write # anchore/sbom-action for syft
       packages: write
     steps:
       # Assign context variable for various action contexts (tag, main, CI)
@@ -66,6 +69,18 @@ jobs:
         env:
           IMG: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}"
         run: IMG=${{ env.IMG }} IMG_VERSION=${{ env.VERSION }} make image/push
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}:${{ env.VERSION }}"
+          format: spdx-json # default, but making sure of the format
+          artifact-name: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json"
+          output-file: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Attach SBOM to Image
+        run: |
+          cosign attach sbom --sbom model-registry-server-${{ env.VERSION }}-sbom.spdx.json "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}:${{ env.VERSION }}"
       # Tag latest and main
       - name: Tag Latest
         if: env.BUILD_CONTEXT == 'main' && env.PUSH_IMAGE == 'true'
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
@@ -54,18 +54,17 @@ jobs:
       - name: Build and Push Image
         shell: bash
         run: ./scripts/build_deploy.sh
-      - uses: anchore/sbom-action@v0
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
         with:
           image: "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}:${{ env.VERSION }}"
-          format: spdx-json # default, but important to pin to use it later
+          format: spdx-json # default, but making sure of the format
           artifact-name: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json"
           output-file: "model-registry-server-${{ env.VERSION }}-sbom.spdx.json" # pin the file to use it later below
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.9.2
+        uses: sigstore/cosign-installer@v3
       - name: Attach SBOM to Image
         run: |
-          cosign version
-          ls -la *.json 
           cosign attach sbom --sbom model-registry-server-${{ env.VERSION }}-sbom.spdx.json "${{ env.IMG_REGISTRY }}/${{ env.IMG_ORG }}/${{ env.IMG_REPO }}:${{ env.VERSION }}"
       - name: Tag Latest
         if: env.BUILD_CONTEXT == 'main'
diff --git a/.github/workflows/build-and-push-ui-images-standalone.yml b/.github/workflows/build-and-push-ui-images-standalone.yml
@@ -76,4 +76,6 @@ jobs:
           DEPLOYMENT_MODE=standalone
           STYLE_THEME=mui-theme
         cache-from: type=gha
-        cache-to: type=gha,mode=max
+        cache-to: type=gha,mode=max
+        provenance: mode=max # pay attention no secrets are passed as build arguments: https://docs.docker.com/build/ci/github-actions/attestations/#default-provenance:~:text=don%27t%20support%20attestations.-,Warning,-If%20you%27re%20using
+        sbom: true
diff --git a/.github/workflows/build-and-push-ui-images.yml b/.github/workflows/build-and-push-ui-images.yml
@@ -76,4 +76,6 @@ jobs:
           DEPLOYMENT_MODE=kubeflow
           STYLE_THEME=mui-theme
         cache-from: type=gha
-        cache-to: type=gha,mode=max
+        cache-to: type=gha,mode=max
+        provenance: mode=max # pay attention no secrets are passed as build arguments: https://docs.docker.com/build/ci/github-actions/attestations/#default-provenance:~:text=don%27t%20support%20attestations.-,Warning,-If%20you%27re%20using
+        sbom: true
