🤖 Add SBOM artifacts to CI pipelines (#998)

* 🤖 Add image-sbom target

Signed-off-by: mudler <mudler@c3os.io>

* 🤖 Add image-sbom to main targets

Signed-off-by: mudler <mudler@c3os.io>

* 🤖 Add SBOM artifacts to pipelines

Signed-off-by: mudler <mudler@c3os.io>

---------

Signed-off-by: mudler <mudler@c3os.io>

.github/workflows/image.yaml

@@ -66,6 +66,13 @@ jobs:
             *.iso
             *.sha256
           if-no-files-found: error
+      - uses: actions/upload-artifact@v3
+        with:
+          name: kairos-${{ matrix.flavor }}.sbom.zip
+          path: |
+            *.syft.json
+            *.spdx.json
+          if-no-files-found: error
       - uses: actions/upload-artifact@v3
         with:
           name: kairos-${{ matrix.flavor }}.initrd.zip

.github/workflows/release-arm.yaml

@@ -92,3 +92,9 @@ jobs:
           sudo luet util pack quay.io/kairos/core-${{ matrix.flavor }}:$VERSION.img build.tar image.tar
           sudo -E docker load -i image.tar
           sudo -E docker push quay.io/kairos/core-${{ matrix.flavor }}:$VERSION.img
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            build/*.json

.github/workflows/release.yaml

@@ -118,22 +118,6 @@ jobs:
         with:
           files: |
             release/*
-      - run: |
-          sudo mv release/*.iso ./
-          sudo mv release/*.sha256 ./
-          sudo mv release/*.sha256.pem ./
-          sudo mv release/*.sha256.sig ./
-      - uses: actions/upload-artifact@v3
-        with:
-          name: kairos-${{ matrix.flavor }}.iso.zip
-          path: |
-            *.iso
-            *.sha256
-            *.sha256.pem
-            *.sha256.sig
-          if-no-files-found: error
-
-
 # build-vm-images:
 #   needs: build
 #   runs-on: macos-12

Earthfile

@@ -36,12 +36,14 @@ ARG IMAGE_REPOSITORY_ORG=quay.io/kairos
 
 all:
   BUILD +docker
+  BUILD +image-sbom
   BUILD +iso
   BUILD +netboot
   BUILD +ipxe-iso
 
 all-arm:
   BUILD --platform=linux/arm64 +docker
+  BUILD +image-sbom
   BUILD +arm-image
 
 go-deps:
@@ -196,6 +198,21 @@ lint:
     BUILD +shellcheck-lint
     BUILD +yamllint
 
+syft:
+    FROM anchore/syft:latest
+    SAVE ARTIFACT /syft syft
+
+image-sbom:
+    FROM +docker
+    WORKDIR /build
+    COPY +version/VERSION ./
+    ARG VERSION=$(cat VERSION)
+    ARG FLAVOR
+    COPY +syft/syft /usr/bin/syft
+    RUN syft / -o json=sbom.syft.json -o spdx-json=sbom.spdx.json
+    SAVE ARTIFACT /build/sbom.syft.json sbom.syft.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.syft.json
+    SAVE ARTIFACT /build/sbom.spdx.json sbom.spdx.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.spdx.json
+
 luet:
     FROM quay.io/luet/base:$LUET_VERSION
     SAVE ARTIFACT /usr/bin/luet /luet