build: Generate SBOM during image release #23221

joestringer · 2023-01-20T20:24:44Z

This reverts commit b7cd73e.

SBOM was a focus of some of the problems around the upgrade to docker
buildx v0.10 which introduces various build failures across the Cilium
CI. It was reverted to try to get CI back in a stable state. This was
unsuccessful because the root cause was not related to these workflow
changes, rather these steps add a downstream consumer of the docker
images and the docker image format changed. While reverting these steps
did prevent them from breaking CI, there were other parts of CI that
also still broke due to the image format change. Given that these CI
steps were running successfully for the better part of the last week
already and they weren't the root cause of the recent CI instability, I
think it makes sense to restore this feature into CI.

Reverts: #23204

joestringer · 2023-01-20T20:42:05Z

This failed with the image sha not being passed to the signing step:

https://github.com/cilium/cilium/actions/runs/3971027337/jobs/6807456125#step:16:19

Run cosign sign quay.io/cilium/docker-plugin-ci@
  cosign sign quay.io/cilium/docker-plugin-ci@
  cosign sign quay.io/cilium/docker-plugin-ci@
  cosign sign quay.io/cilium/docker-plugin-ci@
  shell: /usr/bin/bash -e {0}
  env:
    QUAY_ORGANIZATION: cilium
    QUAY_ORGANIZATION_DEV: cilium
    MSYS: winsymlinks:nativestrict
    COSIGN_EXPERIMENTAL: true
Generating ephemeral keys...
Retrieving signed certificate...

        Note that there may be personally identifiable information associated with this signed artifact.
        This may include the email address associated with the account with which you authenticate.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
Successfully verified SCT...
Error: signing [quay.io/cilium/docker-plugin-ci@]: parsing reference: could not parse reference: quay.io/cilium/docker-plugin-ci@
main.go:6[2](https://github.com/cilium/cilium/actions/runs/3971027337/jobs/6807456125#step:16:2): error during command execution: signing [quay.io/cilium/docker-plugin-ci@]: parsing reference: could not parse reference: quay.io/cilium/docker-plugin-ci@
Error: Process completed with exit code 1.

This reverts commit b7cd73e. SBOM was a focus of some of the problems around the upgrade to docker buildx v0.10 which introduces various build failures across the Cilium CI. It was reverted to try to get CI back in a stable state. This was unsuccessful because the root cause was not related to these workflow changes, rather these steps add a downstream consumer of the docker images and the docker image format changed. While reverting these steps did prevent them from breaking CI, there were other parts of CI that also still broke due to the image format change. Given that these CI steps were running successfully for the better part of the last week already and they weren't the root cause of the recent CI instability, I think it makes sense to restore this feature into CI. Signed-off-by: Joe Stringer <joe@cilium.io>

aanm · 2023-01-22T23:18:04Z

Merging since this PR was verified with the test commit 1dd46665933175fb4d4a0719e3b4f5e6476cb8d0

COSIGN_EXPERIMENTAL=1 cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --attachment sbom  quay.io/cilium/docker-plugin-ci:1dd46665933175fb4d4a0719e3b4f5e6476cb8d0 | jq

joestringer requested review from a team as code owners January 20, 2023 20:24

joestringer added the release-note/ci This PR makes changes to the CI. label Jan 20, 2023

joestringer requested review from qmonnet, aanm and christarazi January 20, 2023 20:24

maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jan 20, 2023

joestringer added the dont-merge/preview-only Only for preview or testing, don't merge it. label Jan 20, 2023

joestringer mentioned this pull request Jan 20, 2023

.github: Pin docker buildx version to v0.9.1 (v2) #23220

Merged

joestringer marked this pull request as draft January 20, 2023 20:51

aanm force-pushed the submit/restore-sbom branch 2 times, most recently from a4e0eed to 4d5c4b3 Compare January 22, 2023 20:56

aanm force-pushed the submit/restore-sbom branch from 4d5c4b3 to cb8c860 Compare January 22, 2023 21:07

aanm approved these changes Jan 22, 2023

View reviewed changes

aanm removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Jan 22, 2023

aanm marked this pull request as ready for review January 22, 2023 21:07

aanm marked this pull request as draft January 22, 2023 22:34

aanm force-pushed the submit/restore-sbom branch 2 times, most recently from 1dd4666 to cb8c860 Compare January 22, 2023 23:18

aanm marked this pull request as ready for review January 22, 2023 23:18

aanm merged commit a6d000e into master Jan 22, 2023

aanm deleted the submit/restore-sbom branch January 22, 2023 23:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build: Generate SBOM during image release #23221

build: Generate SBOM during image release #23221

joestringer commented Jan 20, 2023 •

edited

joestringer commented Jan 20, 2023

aanm commented Jan 22, 2023

build: Generate SBOM during image release #23221

build: Generate SBOM during image release #23221

Conversation

joestringer commented Jan 20, 2023 • edited

joestringer commented Jan 20, 2023

aanm commented Jan 22, 2023

joestringer commented Jan 20, 2023 •

edited