chore: refactor to maximize re-use

mchmarny · mchmarny · commit ecc6e6878352 · 2025-10-30T18:02:41.000-07:00
diff --git a/.github/actions/publish-container/action.yml b/.github/actions/publish-container/action.yml
@@ -74,41 +74,9 @@ runs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
         fi
     
-    - name: Attest
-      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
-      id: attest
+    - name: Generate SBOM and Attest
+      uses: ./.github/actions/sbom-and-attest
       with:
-        subject-name: ${{ steps.image.outputs.name }}
-        subject-digest: ${{ steps.image.outputs.digest }}
-        push-to-registry: true
-
-    - name: Derive safe filename
-      id: name
-      shell: bash
-      run: |
-        IMAGE="${{ steps.image.outputs.name  }}"
-        SAFE="$(basename "${IMAGE%%:*}")"  # strip tag if present, then basename
-        echo "safe=$SAFE" >> "$GITHUB_OUTPUT"
-
-    - name: Generate SBOM
-      uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84  # v0.20.9
-      with:
-        image: ${{ steps.image.outputs.name  }}@${{ steps.image.outputs.digest }}
-        format: cyclonedx-json
-        output-file: sbom-${{ steps.name.outputs.safe }}.cdx.json
-        upload-artifact: true          # also uploads to the workflow run
-        upload-release-assets: auto    # 'auto' == assets on tags
-
-    - name: Install Cosign
-      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
-
-    - name: Cosign SBOM attestation
-      shell: bash
-      env:
-        COSIGN_EXPERIMENTAL: "1"
-      run: |
-        cosign attest \
-          --yes \
-          --predicate sbom-${{ steps.name.outputs.safe }}.cdx.json \
-          --type cyclonedx \
-          ${{ steps.image.outputs.name  }}@${{ steps.image.outputs.digest }}
+        image_name: ${{ steps.image.outputs.name }}
+        image_digest: ${{ steps.image.outputs.digest }}
+        registry_password: ${{ inputs.registry_password }}
diff --git a/.github/actions/sbom-and-attest/action.yml b/.github/actions/sbom-and-attest/action.yml
@@ -0,0 +1,73 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Generate SBOM and Attest'
+description: 'Generates SBOM and build provenance attestation for container images'
+
+inputs:
+  image_name:
+    description: 'Full image name (without tag or digest)'
+    required: true
+  image_digest:
+    description: 'Image digest (sha256:...)'
+    required: true
+  registry_password:
+    description: 'Registry password for authentication'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Authenticate to GHCR
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.registry_password }}
+
+    - name: Derive safe filename
+      id: name
+      shell: bash
+      run: |
+        IMAGE="${{ inputs.image_name }}"
+        SAFE="$(basename "${IMAGE%%:*}")"  # strip tag if present, then basename
+        echo "safe=$SAFE" >> "$GITHUB_OUTPUT"
+
+    - name: Generate SBOM
+      uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84  # v0.20.9
+      with:
+        image: "${{ inputs.image_name }}@${{ inputs.image_digest }}"
+        format: cyclonedx-json
+        output-file: sbom-${{ steps.name.outputs.safe }}.cdx.json
+        upload-artifact: true          # also uploads to the workflow run
+        upload-release-assets: auto    # 'auto' == assets on tags
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
+
+    - name: Cosign SBOM attestation
+      shell: bash
+      run: |
+        cosign attest \
+          --yes \
+          --predicate sbom-${{ steps.name.outputs.safe }}.cdx.json \
+          --type cyclonedx \
+          "${{ inputs.image_name }}@${{ inputs.image_digest }}"
+
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
+      with:
+        subject-name: ${{ inputs.image_name }}
+        subject-digest: ${{ inputs.image_digest }}
+        push-to-registry: true
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -189,80 +189,29 @@ jobs:
           VERSION: ${{ steps.ref-name.outputs.value }}
         run: scripts/buildko.sh
 
-  attest:
+  attest-and-sbom-ko:
     needs: build-images-ko
     runs-on: linux-amd64-cpu32
     permissions:
+      contents: read
       packages: write
       id-token: write
       attestations: write
     strategy:
       matrix:
         image: ${{ fromJson(needs.build-images-ko.outputs.images) }}
     steps:
-      - name: Authenticate to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Attest build provenance
-        id: attest
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a  # v3.0.0
-        with:
-          subject-name: ${{ matrix.image.name }}
-          subject-digest: ${{ matrix.image.digest }}
-          push-to-registry: true
-
-  sbom-ko:
-    needs: build-images-ko
-    runs-on: linux-amd64-cpu32
-    permissions:
-      contents: read
-      id-token: write         # required for Cosign keyless signing
-      packages: write         # needed to push attestations to GHCR
-      security-events: write  # only needed if you also upload SARIF somewhere
-    strategy:
-      matrix:
-        image: ${{ fromJson(needs.build-images-ko.outputs.images) }}
-    steps:
-      - name: Authenticate to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Derive safe filename
-        id: name
-        shell: bash
-        run: |
-          IMAGE="${{ matrix.image.name }}"
-          SAFE="$(basename "${IMAGE%%:*}")"  # strip tag if present, then basename
-          echo "safe=$SAFE" >> "$GITHUB_OUTPUT"
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag || github.ref }}
 
-      - name: Generate SBOM
-        uses: anchore/sbom-action@8e94d75ddd33f69f691467e42275782e4bfefe84  # v0.20.9
+      - name: Generate SBOM and Attest
+        uses: ./.github/actions/sbom-and-attest
         with:
-          image: "${{ matrix.image.name }}@${{ matrix.image.digest }}"
-          format: cyclonedx-json
-          output-file: sbom-${{ steps.name.outputs.safe }}.cdx.json
-          upload-artifact: true          # also uploads to the workflow run
-          upload-release-assets: auto    # 'auto' == assets on tags
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad  # v4.0.0
-
-      - name: Cosign SBOM attestation
-        env:
-          COSIGN_EXPERIMENTAL: "1"
-        run: |
-          cosign attest \
-            --yes \
-            --predicate sbom-${{ steps.name.outputs.safe }}.cdx.json \
-            --type cyclonedx \
-            "${{ matrix.image.name }}@${{ matrix.image.digest }}"
+          image_name: ${{ matrix.image.name }}
+          image_digest: ${{ matrix.image.digest }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
 
   e2e-test:
     name: "E2E Test Published Images"
@@ -271,8 +220,7 @@ jobs:
     needs:
       - build-images-docker
       - build-images-ko
-      - attest
-      - sbom-ko
+      - attest-and-sbom-ko
     env:
       CLUSTER_NAME: 'nvsentinel-uat'
       FAKE_GPU_NODE_COUNT: '10'
