feat: generate/upload sbom for cosign projects

Signed-off-by: Batuhan Apaydın <[email protected]>

.github/workflows/build.yaml

@@ -35,6 +35,8 @@ jobs:
         with:
           go-version: '1.17.x'
       - uses: imjasonh/[email protected]
+        with:
+          version: tip
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@master
         with:

Makefile

@@ -51,7 +51,7 @@ SRCS = $(shell find cmd -iname "*.go") $(shell find pkg -iname "*.go")
 GOLANGCI_LINT_DIR = $(shell pwd)/bin
 GOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint
 
-KO_PREFIX ?= gcr.io/projectsigstore
+KO_PREFIX ?= docker.io/devopps
 export KO_DOCKER_REPO=$(KO_PREFIX)
 
 .PHONY: all lint test clean cosign cross
@@ -127,26 +127,26 @@ clean:
 .PHONY: ko
 ko:
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths --bare --sbom \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/sigstore/cosign/cmd/cosign
 
 	# cosigned
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	KO_DOCKER_REPO=${KO_PREFIX}/cosigned ko publish --bare \
+	KO_DOCKER_REPO=${KO_PREFIX}/cosigned ko publish --bare --sbom \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/sigstore/cosign/cmd/cosign/webhook
 
 	# sget
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths --bare --sbom \
 		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/sigstore/cosign/cmd/sget
 
 .PHONY: ko-local
 ko-local:
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	ko publish --base-import-paths --bare \
+	ko publish --base-import-paths --bare --sbom \
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
 		github.com/sigstore/cosign/cmd/cosign