diff --git a/.github/workflows/docker-master.yaml b/.github/workflows/docker-master.yaml index 8dec5bc40..dc816c2fe 100644 --- a/.github/workflows/docker-master.yaml +++ b/.github/workflows/docker-master.yaml @@ -82,11 +82,26 @@ jobs: TAG=${{ steps.export_tag.outputs.operator_tag }} COMMITDATE=${{ steps.export_tag.outputs.commit_date }} COMMIT=${{ github.sha }} + - name: Install the bom command + shell: bash + run: go install sigs.k8s.io/bom/cmd/bom@v0.2.2 + - name: Create SBOM file + shell: bash + run: | + bom generate -o elemental-operator.spdx . + - name: Attach SBOM file in the container image + shell: bash + run: | + set -e + cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}" + cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:latest" - name: Sign images env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7} + cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7}.sbom cosign sign ${{ env.OPERATOR_REPO }}:latest + cosign sign ${{ env.OPERATOR_REPO }}:latest.sbom cosign sign ${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }}-${GITHUB_SHA::7} cosign sign ${{ env.REGISTER_REPO }}:latest diff --git a/.github/workflows/docker-tag.yaml b/.github/workflows/docker-tag.yaml index 7e39c387f..14d45c363 100644 --- a/.github/workflows/docker-tag.yaml +++ b/.github/workflows/docker-tag.yaml @@ -80,11 +80,26 @@ jobs: TAG=${{ steps.export_tag.outputs.operator_tag }} COMMITDATE=${{ steps.export_tag.outputs.commit_date }} COMMIT=${{ github.sha }} - - name: Sign image + - name: Install the bom command + shell: bash + run: go install sigs.k8s.io/bom/cmd/bom@v0.2.2 + - name: Create SBOM file + shell: bash + run: | + bom generate -o elemental-operator.spdx . + - name: Attach SBOM file in the container image + shell: bash + run: | + set -e + cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}" + cosign attach sbom --sbom elemental-operator.spdx "${{ env.OPERATOR_REPO }}:latest" + - name: Sign images and sbom env: COSIGN_EXPERIMENTAL: 1 run: | cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }} + cosign sign ${{ env.OPERATOR_REPO }}:${{ steps.export_tag.outputs.operator_tag }}.sbom cosign sign ${{ env.OPERATOR_REPO }}:latest + cosign sign ${{ env.OPERATOR_REPO }}:latest.sbom cosign sign ${{ env.REGISTER_REPO }}:${{ steps.export_tag.outputs.operator_tag }} cosign sign ${{ env.REGISTER_REPO }}:latest diff --git a/.github/workflows/gorelease.yaml b/.github/workflows/gorelease.yaml index 3deb22a29..4f734f53a 100644 --- a/.github/workflows/gorelease.yaml +++ b/.github/workflows/gorelease.yaml @@ -8,6 +8,9 @@ on: jobs: goreleaser: runs-on: ubuntu-latest + permissions: + id-token: write + contents: write steps: - name: Checkout uses: actions/checkout@v2 @@ -31,4 +34,25 @@ jobs: version: latest args: release --rm-dist env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install the bom command + shell: bash + run: go install sigs.k8s.io/bom/cmd/bom@v0.2.2 + - name: Create SBOM file + shell: bash + run: | + mkdir signatures + bom generate -o /signatures/elemental-operator.spdx . + - name: Sign BOM file + env: + COSIGN_EXPERIMENTAL: 1 + run: | + cosign sign-blob --output-certificate signatures/elemental-operator.spdx.cert \ + --output-signature signatures/elemental-operator.spdx.sig \ + signatures/elemental-operator.spdx + - name: Release sbom + uses: fnkr/github-action-ghr@v1 + if: startsWith(github.ref, 'refs/tags/') + env: + GHR_PATH: signatures/ + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}