Add sbom to releases and attach to containers (#160)

.github/workflows/docker-master.yaml

@@ -82,11 +82,26 @@ jobs:
             TAG=${{ steps.export_tag.outputs.operator_tag }}
             COMMITDATE=${{ steps.export_tag.outputs.commit_date }}
             COMMIT=${{ github.sha }}
+      - name: Install the bom command
+        shell: bash
+        run: go install sigs.k8s.io/bom/cmd/[email protected]
+      - name: Create SBOM file
+        shell: bash
+        run: |
+          bom generate -o elemental-operator.spdx .
+      - name: Attach SBOM file in the container image
+        shell: bash
+        run: |
+          set -e
+          cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}"
+          cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:latest"
       - name: Sign images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
           cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}
+          cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}.sbom
           cosign sign ${{ env.OPERATOR_REPO }}:latest
+          cosign sign ${{ env.OPERATOR_REPO }}:latest.sbom
           cosign sign ${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}
           cosign sign ${{ env.REGISTER_REPO }}:latest

.github/workflows/docker-tag.yaml

@@ -80,11 +80,26 @@ jobs:
             TAG=${{ steps.export_tag.outputs.operator_tag }}
             COMMITDATE=${{ steps.export_tag.outputs.commit_date }}
             COMMIT=${{ github.sha }}
-      - name: Sign image
+      - name: Install the bom command
+        shell: bash
+        run: go install sigs.k8s.io/bom/cmd/[email protected]
+      - name: Create SBOM file
+        shell: bash
+        run: |
+          bom generate -o elemental-operator.spdx .
+      - name: Attach SBOM file in the container image
+        shell: bash
+        run: |
+          set -e
+          cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}"
+          cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:latest"
+      - name: Sign images and sbom
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
           cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}
+          cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}.sbom
           cosign sign ${{ env.OPERATOR_REPO }}:latest
+          cosign sign ${{ env.OPERATOR_REPO }}:latest.sbom
           cosign sign ${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}
           cosign sign ${{ env.REGISTER_REPO }}:latest

.github/workflows/gorelease.yaml

@@ -8,6 +8,9 @@ on:
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -31,4 +34,25 @@ jobs:
           version: latest
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install the bom command
+        shell: bash
+        run: go install sigs.k8s.io/bom/cmd/[email protected]
+      - name: Create SBOM file
+        shell: bash
+        run: |
+          mkdir signatures
+          bom generate -o /signatures/elemental-operator.spdx .
+      - name: Sign BOM file
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign-blob --output-certificate signatures/elemental-operator.spdx.cert \
+          --output-signature signatures/elemental-operator.spdx.sig \
+          signatures/elemental-operator.spdx
+      - name: Release sbom
+        uses: fnkr/github-action-ghr@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GHR_PATH: signatures/
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}