🤖 Add SBOM artifacts to CI pipelines (#998)

* 🤖 Add image-sbom target Signed-off-by: mudler <mudler@c3os.io> * 🤖 Add image-sbom to main targets Signed-off-by: mudler <mudler@c3os.io> * 🤖 Add SBOM artifacts to pipelines Signed-off-by: mudler <mudler@c3os.io> --------- Signed-off-by: mudler <mudler@c3os.io>
2025-02-09 05:18:51 +00:00 · 2023-03-02 09:43:30 +01:00 · 2023-03-02 09:43:30 +01:00 · 1460d77fdb
commit 1460d77fdb
parent 99749ed679
4 changed files with 30 additions and 16 deletions
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -66,6 +66,13 @@ jobs:
            *.iso
            *.sha256
          if-no-files-found: error
+      - uses: actions/upload-artifact@v3
+        with:
+          name: kairos-${{ matrix.flavor }}.sbom.zip
+          path: |
+            *.syft.json
+            *.spdx.json
+          if-no-files-found: error
      - uses: actions/upload-artifact@v3
        with:
          name: kairos-${{ matrix.flavor }}.initrd.zip
--- a/.github/workflows/release-arm.yaml
+++ b/.github/workflows/release-arm.yaml
@ -92,3 +92,9 @@ jobs:
          sudo luet util pack quay.io/kairos/core-${{ matrix.flavor }}:$VERSION.img build.tar image.tar
          sudo -E docker load -i image.tar
          sudo -E docker push quay.io/kairos/core-${{ matrix.flavor }}:$VERSION.img
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            build/*.json
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -118,22 +118,6 @@ jobs:
        with:
          files: |
            release/*
-      - run: |
-          sudo mv release/*.iso ./
-          sudo mv release/*.sha256 ./
-          sudo mv release/*.sha256.pem ./
-          sudo mv release/*.sha256.sig ./
-      - uses: actions/upload-artifact@v3
-        with:
-          name: kairos-${{ matrix.flavor }}.iso.zip
-          path: |
-            *.iso
-            *.sha256
-            *.sha256.pem
-            *.sha256.sig
-          if-no-files-found: error
-
-
 # build-vm-images:
 #   needs: build
 #   runs-on: macos-12
--- a/17
+++ b/17
@ -36,12 +36,14 @@ ARG IMAGE_REPOSITORY_ORG=quay.io/kairos

 all:
  BUILD +docker
+  BUILD +image-sbom
  BUILD +iso
  BUILD +netboot
  BUILD +ipxe-iso

 all-arm:
  BUILD --platform=linux/arm64 +docker
+  BUILD +image-sbom
  BUILD +arm-image

 go-deps:
@ -196,6 +198,21 @@ lint:
    BUILD +shellcheck-lint
    BUILD +yamllint

+syft:
+    FROM anchore/syft:latest
+    SAVE ARTIFACT /syft syft
+
+image-sbom:
+    FROM +docker
+    WORKDIR /build
+    COPY +version/VERSION ./
+    ARG VERSION=$(cat VERSION)
+    ARG FLAVOR
+    COPY +syft/syft /usr/bin/syft
+    RUN syft / -o json=sbom.syft.json -o spdx-json=sbom.spdx.json
+    SAVE ARTIFACT /build/sbom.syft.json sbom.syft.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.syft.json
+    SAVE ARTIFACT /build/sbom.spdx.json sbom.spdx.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.spdx.json
+
 luet:
    FROM quay.io/luet/base:$LUET_VERSION
    SAVE ARTIFACT /usr/bin/luet /luet