From e033cb28203913a59633f01e38845abd6f89bde8 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Mon, 1 Jul 2024 10:41:23 -0700 Subject: [PATCH] build: add SBOM & provenance docker build attestations (#1596) --- .github/workflows/publish-dev-assets.yml | 16 ++++++++++++++-- .github/workflows/publish-package.yml | 15 +++++++++++++-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index 8af578658..0ba7a2f7a 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -18,7 +18,6 @@ jobs: uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - name: prepare @@ -50,11 +49,22 @@ jobs: - name: docker build ratify-crds run: | docker buildx create --use - docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds + docker buildx build \ + --attest type=sbom \ + --attest type=provenance,mode=max \ + --build-arg KUBE_VERSION="1.29.2" \ + -f crd.Dockerfile \ + --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} \ + -t ${{ steps.prepare.outputs.crdref }} \ + --push ./charts/ratify/crds - name: docker build ratify base run: | docker buildx create --use docker buildx build -f ./httpserver/Dockerfile \ + --attest type=sbom \ + --attest type=provenance,mode=max \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \ --label org.opencontainers.image.revision=${{ github.sha }} \ @@ -65,6 +75,8 @@ jobs: run: | docker buildx create --use docker buildx build -f ./httpserver/Dockerfile \ + --attest type=sbom \ + --attest type=provenance,mode=max \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --build-arg build_sbom=true \ --build-arg build_licensechecker=true \ diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index 186395bd2..88335059e 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -19,7 +19,6 @@ jobs: uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - name: prepare @@ -49,11 +48,21 @@ jobs: - name: docker build ratify-crds run: | docker buildx create --use - docker buildx build --build-arg KUBE_VERSION="1.29.2" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds + docker buildx build \ + --attest type=sbom \ + --attest type=provenance,mode=max \ + --build-arg KUBE_VERSION="1.29.2" \ + -f crd.Dockerfile \ + --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + -t ${{ steps.prepare.outputs.crdref }} \ + --push ./charts/ratify/crds - name: docker build ratify base run: | docker buildx create --use docker buildx build -f ./httpserver/Dockerfile \ + --attest type=sbom \ + --attest type=provenance,mode=max \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --build-arg LDFLAGS="-X github.com/ratify-project/ratify/internal/version.Version=$(TAG)" \ --label org.opencontainers.image.revision=${{ github.sha }} \ @@ -63,6 +72,8 @@ jobs: run: | docker buildx create --use docker buildx build -f ./httpserver/Dockerfile \ + --attest type=sbom \ + --attest type=provenance,mode=max \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --build-arg build_sbom=true \ --build-arg build_licensechecker=true \