Feature: Generate SBOM for both ko and docker built images (#224)

Author: mchmarny

.github/actions/publish-container/action.yml

@@ -74,10 +74,9 @@ runs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
         fi
     
-    - name: Attest
-      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
-      id: attest
+    - name: Generate SBOM and Attest
+      uses: ./.github/actions/sbom-and-attest
       with:
-        subject-name: ${{ steps.image.outputs.name }}
-        subject-digest: ${{ steps.image.outputs.digest }}
-        push-to-registry: true
+        image_name: ${{ steps.image.outputs.name }}
+        image_digest: ${{ steps.image.outputs.digest }}
+        registry_password: ${{ inputs.registry_password }}

.github/actions/sbom-and-attest/action.yml

@@ -0,0 +1,127 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Generate SBOM and Attest'
+description: 'Generates SBOM and build provenance attestation for container images'
+
+inputs:
+  image_name:
+    description: 'Full image name (without tag or digest)'
+    required: true
+  image_digest:
+    description: 'Image digest (sha256:...)'
+    required: true
+  registry_password:
+    description: 'Registry password for authentication'
+    required: true
+  crane_version:
+    description: 'Version of crane to install (default: v0.20.2)'
+    required: false
+    default: 'v0.20.2'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Authenticate to GHCR
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.registry_password }}
+
+    - name: Derive safe filename
+      id: name
+      shell: bash
+      run: |
+        IMAGE="${{ inputs.image_name }}"
+        SAFE="$(basename "${IMAGE%%:*}")"  # strip tag if present, then basename
+        echo "safe=$SAFE" >> "$GITHUB_OUTPUT"
+
+    - name: Generate SBOM
+      uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84  # v0.20.9
+      with:
+        image: "${{ inputs.image_name }}@${{ inputs.image_digest }}"
+        format: cyclonedx-json
+        output-file: sbom-${{ steps.name.outputs.safe }}.cdx.json
+        upload-artifact: true
+        upload-release-assets: auto
+    
+    - name: Verify SBOM file
+      id: find-sbom
+      shell: bash
+      run: |
+        SBOM_FILE="sbom-${{ steps.name.outputs.safe }}.cdx.json"
+        if [ ! -f "$SBOM_FILE" ]; then
+          echo "::error::SBOM file not found: $SBOM_FILE"
+          exit 1
+        fi
+        echo "sbom_file=$SBOM_FILE" >> "$GITHUB_OUTPUT"
+
+    - name: Install Crane
+      shell: bash
+      run: |
+        if ! command -v crane &> /dev/null; then
+          echo "Installing crane ${{ inputs.crane_version }}..."
+          curl -sL "https://github.com/google/go-containerregistry/releases/download/${{ inputs.crane_version }}/go-containerregistry_Linux_x86_64.tar.gz" | tar -xz crane
+          sudo mv crane /usr/local/bin/crane
+          sudo chmod +x /usr/local/bin/crane
+        fi
+        crane version
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+
+    - name: Cosign SBOM attestation
+      shell: bash
+      env:
+        COSIGN_EXPERIMENTAL: "1"
+      run: |
+        set -euo pipefail
+        
+        SBOM_FILE="${{ steps.find-sbom.outputs.sbom_file }}"
+        IMAGE_REF="${{ inputs.image_name }}@${{ inputs.image_digest }}"
+        
+        # Check if this is a multi-platform image (OCI index)
+        MANIFEST_TYPE=$(crane manifest "$IMAGE_REF" | jq -r '.mediaType // "unknown"')
+        
+        if [[ "$MANIFEST_TYPE" == "application/vnd.oci.image.index.v1+json" ]] || \
+           [[ "$MANIFEST_TYPE" == "application/vnd.docker.distribution.manifest.list.v2+json" ]]; then
+          # Multi-platform: attest each platform digest separately
+          PLATFORM_DIGESTS=$(crane manifest "$IMAGE_REF" | \
+            jq -r '.manifests[] | select((.annotations."vnd.docker.reference.type" // "") != "attestation-manifest") | .digest')
+          
+          while IFS= read -r DIGEST; do
+            echo "Attesting ${{ inputs.image_name }}@${DIGEST}"
+            cosign attest \
+              --yes \
+              --predicate "$SBOM_FILE" \
+              --type cyclonedx \
+              "${{ inputs.image_name }}@${DIGEST}"
+          done <<< "$PLATFORM_DIGESTS"
+        else
+          # Single-platform: attest directly
+          echo "Attesting $IMAGE_REF"
+          cosign attest \
+            --yes \
+            --predicate "$SBOM_FILE" \
+            --type cyclonedx \
+            "$IMAGE_REF"
+        fi
+
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
+      with:
+        subject-name: ${{ inputs.image_name }}
+        subject-digest: ${{ inputs.image_digest }}
+        push-to-registry: true

.github/workflows/container-build-test.yml

@@ -123,7 +123,7 @@ jobs:
       - name: Setup build environment
         uses: ./.github/actions/setup-ci-env
 
-      - name: Test ko build for ${{ matrix.module }}
+      - name: Use ko to build ${{ matrix.module }}
         run: |
           cd ${{ matrix.module }}
           ko build --bare --platform=linux/amd64,linux/arm64 ${{ matrix.path }}

.github/workflows/publish.yml

@@ -89,9 +89,14 @@ jobs:
           path: versions.txt
           retention-days: 90
 
-  container-publish:
+  build-images-docker:
     runs-on: linux-amd64-cpu32
     timeout-minutes: 60
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         include:
@@ -143,7 +148,7 @@ jobs:
           tag_suffix: ${{ matrix.tag_suffix }}
 
   # Build images using ko and attest provenance
-  build-images:
+  build-images-ko:
     runs-on: linux-amd64-cpu32
     timeout-minutes: 60
     permissions:
@@ -154,6 +159,7 @@ jobs:
     env:
       KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
       GIT_COMMIT: ${{ github.sha }}
+      PLATFORMS: linux/amd64,linux/arm64
     outputs:
       images: ${{ steps.ko-build.outputs.images }}
     steps:
@@ -188,40 +194,38 @@ jobs:
           VERSION: ${{ steps.ref-name.outputs.value }}
         run: scripts/buildko.sh
 
-  attest:
-    needs: build-images
+  attest-and-sbom-ko:
+    needs: build-images-ko
     runs-on: linux-amd64-cpu32
     permissions:
+      contents: read
       packages: write
       id-token: write
       attestations: write
     strategy:
       matrix:
-        image: ${{ fromJson(needs.build-images.outputs.images) }}
+        image: ${{ fromJson(needs.build-images-ko.outputs.images) }}
     steps:
-      - name: Authenticate to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref }}
 
-      - name: Attest build provenance
-        id: attest
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
+      - name: Generate SBOM and Attest
+        uses: ./.github/actions/sbom-and-attest
         with:
-          subject-name: ${{ matrix.image.name }}
-          subject-digest: ${{ matrix.image.digest }}
-          push-to-registry: true
+          image_name: ${{ matrix.image.name }}
+          image_digest: ${{ matrix.image.digest }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
 
   e2e-test:
     name: "E2E Test Published Images"
     runs-on: linux-amd64-cpu32
     timeout-minutes: 60
     needs:
-      - container-publish
-      - build-images
-      - attest
+      - build-images-docker
+      - build-images-ko
+      - attest-and-sbom-ko
     env:
       CLUSTER_NAME: 'nvsentinel-uat'
       FAKE_GPU_NODE_COUNT: '10'

.ko.yaml

@@ -15,56 +15,141 @@
 # .ko.yaml in the root of the repository
 defaultBaseImage: cgr.dev/chainguard/static:latest
 platforms: [linux/amd64, linux/arm64]
-
-ldflags:
-  - "-s -w"
-  - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
-
 env: [CGO_ENABLED=0]
 
 builds:
 
   - id: fault-quarantine-module
     dir: fault-quarantine-module
     main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Fault Quarantine Module"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: fault-remediation-module
     dir: fault-remediation-module
     main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Fault Remediation Module"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: health-events-analyzer
     dir: health-events-analyzer
     main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Health Events Analyzer"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: csp-health-monitor
     dir: health-monitors/csp-health-monitor
     main: ./cmd/csp-health-monitor
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel CSP Health Monitor"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: maintenance-notifier
     dir: health-monitors/csp-health-monitor
     main: ./cmd/maintenance-notifier
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Maintenance Notifier"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: labeler-module
     dir: labeler-module
     main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Labeler Module"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: node-drainer-module
     dir: node-drainer-module
     main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Node Drainer Module"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: janitor
     dir: janitor
     main: .
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Janitor"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
 
   - id: platform-connectors
     dir: platform-connectors
     main: .
-
-labels:
-  org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
-  org.opencontainers.image.licenses: "Apache-2.0"
-  org.opencontainers.image.title: "NVSentinel"
-  org.opencontainers.image.description: "Fault remediation service to help with rapidly node-level issues resolution in GPU-accelerated computing environments"
-  org.opencontainers.image.version: "{{.Env.VERSION}}"
-  org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
-  org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"
+    ldflags:
+      - "-s -w"
+      - "-X main.version={{.Env.VERSION}} -X main.commit={{.Env.GIT_COMMIT}} -X main.date={{.Env.BUILD_DATE}}"
+    labels:
+      org.opencontainers.image.source: "https://github.com/nvidia/nvsentinel"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "NVSentinel Platform Connectors"
+      org.opencontainers.image.description: "Fault remediation service to help with rapid node-level issues resolution in GPU-accelerated computing environments"
+      org.opencontainers.image.version: "{{.Env.VERSION}}"
+      org.opencontainers.image.revision: "{{.Env.GIT_COMMIT}}"
+      org.opencontainers.image.created: "{{.Env.BUILD_DATE}}"