build: add SBOM & provenance docker build attestations (#1596)

ratify-project · Jul 1, 2024 · e033cb2 · e033cb2
1 parent d862e04
commit e033cb2
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -18,7 +18,6 @@ jobs:
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: prepare
@@ -50,11 +49,22 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
+            --build-arg KUBE_VERSION="1.29.2" \
+            -f crd.Dockerfile \
+            --platform linux/amd64,linux/arm64,linux/arm/v7 \
+            --label org.opencontainers.image.revision=${{ github.sha }} \
+            -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \
+            -t ${{ steps.prepare.outputs.crdref }} \
+            --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use         
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -65,6 +75,8 @@ jobs:
         run: |
           docker buildx create --use
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg build_sbom=true \
             --build-arg build_licensechecker=true \

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -19,7 +19,6 @@ jobs:
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
-
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: prepare
@@ -49,11 +48,21 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
+            --build-arg KUBE_VERSION="1.29.2" \
+            -f crd.Dockerfile \
+            --platform linux/amd64,linux/arm64,linux/arm/v7 \
+            --label org.opencontainers.image.revision=${{ github.sha }} \
+            -t ${{ steps.prepare.outputs.crdref }} \
+            --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use         
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \
             --label org.opencontainers.image.revision=${{ github.sha }} \
@@ -63,6 +72,8 @@ jobs:
         run: |
           docker buildx create --use
           docker buildx build -f ./httpserver/Dockerfile \
+            --attest type=sbom \
+            --attest type=provenance,mode=max \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
             --build-arg build_sbom=true \
             --build-arg build_licensechecker=true \