feat/sbom2 wip

mchmarny · mchmarny · commit 26dbc8d7a317 · 2025-10-30T17:15:17.000-07:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -20,6 +20,7 @@ on:
       - 'v*'
     branches:
       - main
+      - 'pull-request/*'
     paths-ignore:
       - '**/*.md'
       - 'docs/**'
@@ -214,6 +215,55 @@ jobs:
           subject-digest: ${{ matrix.image.digest }}
           push-to-registry: true
 
+  sbom-ko:
+    needs: build-images
+    runs-on: linux-amd64-cpu32
+    permissions:
+      contents: read
+      id-token: write         # required for Cosign keyless signing
+      packages: write         # needed to push attestations to GHCR
+      security-events: write  # only needed if you also upload SARIF somewhere
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.build-images.outputs.images) }}
+    steps:
+      - name: Authenticate to GHCR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Derive safe filename
+        id: name
+        shell: bash
+        run: |
+          IMAGE="${{ matrix.image.name }}"
+          SAFE="$(basename "${IMAGE%%:*}")"  # strip tag if present, then basename
+          echo "safe=$SAFE" >> "$GITHUB_OUTPUT"
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84  # v0.20.9
+        with:
+          image: "${{ matrix.image.name }}@${{ matrix.image.digest }}"
+          format: cyclonedx-json
+          output-file: sbom-${{ steps.name.outputs.safe }}.cdx.json
+          upload-artifact: true          # also uploads to the workflow run
+          upload-release-assets: auto    # 'auto' == assets on tags
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+
+      - name: Cosign SBOM attestation
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign attest \
+            --yes \
+            --predicate sbom-${{ steps.name.outputs.safe }}.cdx.json \
+            --type cyclonedx \
+            "${{ matrix.image.name }}@${{ matrix.image.digest }}"
+
   e2e-test:
     name: "E2E Test Published Images"
     runs-on: linux-amd64-cpu32
@@ -222,6 +272,7 @@ jobs:
       - container-publish
       - build-images
       - attest
+      - sbom-ko
     env:
       CLUSTER_NAME: 'nvsentinel-uat'
       FAKE_GPU_NODE_COUNT: '10'
