Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fa39612557
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| IMAGE_REF: ${{ steps.image.outputs.ref }} | ||
| SYFT: ${{ steps.syft.outputs.cmd }} | ||
| run: | | ||
| "$SYFT" "$IMAGE_REF" --scope all-layers -o cyclonedx-json=dockerhub-image.cdx.json |
There was a problem hiding this comment.
Attest SBOMs for each platform image
For multi-platform publishes, the build script creates a manifest list for both linux/amd64 and linux/arm64, but this Syft command scans the manifest-list digest without specifying a platform. Syft currently resolves an image index to the runner's platform image rather than cataloging every referenced manifest (see anchore/syft#1683), so on the ubuntu-24.04 runner the SBOM attested to the multi-arch digest only describes amd64 and omits arm64-specific contents; the same pattern is repeated in the GHCR job. Either rely on the BuildKit SBOM attestations or generate/attest SBOMs per platform digest.
Useful? React with 👍 / 👎.
No description provided.