diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b579fa33..26a7abf3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,18 +47,6 @@ jobs: echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \ --build-arg revision=$(git rev-parse --short HEAD) \ ${TAGS} . - - name: Install sigstore cosign - uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 - with: - cosign-release: 'v1.5.0' - - name: Release artifacts - id: release-artifacts - env: - AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }} - AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }} - COSIGN_EXPERIMENTAL: "true" - run: | - VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh - name: Set up QEMU uses: docker/setup-qemu-action@v1 with: @@ -82,14 +70,33 @@ jobs: - name: Docker Buildx (push) run: | docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }} - - name: Sign the published Docker images (via GitHub OIDC token) + - name: Docker Check Manifest + run: | + docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} + - name: Install Kubernetes SBOM Tool + uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4 + - name: Install sigstore cosign + uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + with: + cosign-release: 'v1.5.0' + - name: Release artifacts (includes SBOM and signatures) + id: release-artifacts + env: + AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }} + AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }} + COSIGN_EXPERIMENTAL: "true" + run: | + VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh + - name: Sign the published images (via GitHub OIDC token) env: COSIGN_EXPERIMENTAL: "true" run: | cosign sign ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} - - name: Docker Check Manifest + - name: Attach SBOM to published images + env: + COSIGN_EXPERIMENTAL: "true" run: | - docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} + cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }} - name: Clear if: always() run: | diff --git a/Makefile b/Makefile index 75a0faa4..dfd2bc4b 100644 --- a/Makefile +++ b/Makefile @@ -174,14 +174,18 @@ fetch-dist: # shasum -a 256 -c chartmuseum-v0.13.1-darwin-amd64.tar.gz.sha256sum .PHONY: checksum checksum: - for f in $$(ls _dist/*.{gz,zip} 2>/dev/null) ; do \ + for f in $$(ls _dist/*.{gz,spdx,zip} 2>/dev/null) ; do \ echo "Creating $${f}.sha256sum" ; \ shasum -a 256 "$${f}" | sed 's/_dist\///' > "$${f}.sha256sum" ; \ done +.PHONY: sbom +sbom: + @./scripts/sbom.sh + .PHONY: cosign cosign: - for f in $$(ls _dist/*.{gz,zip,sha256sum} 2>/dev/null) ; do \ + for f in $$(ls _dist/*.{gz,zip,sha256sum,spdx} 2>/dev/null) ; do \ echo "Creating $${f}.sig" ; \ cosign sign-blob --output-file "$${f}.sig" "$${f}"; \ done diff --git a/scripts/release-artifacts.sh b/scripts/release-artifacts.sh index 9538d616..c67e371f 100755 --- a/scripts/release-artifacts.sh +++ b/scripts/release-artifacts.sh @@ -28,7 +28,7 @@ sudo apt install azure-cli echo "Building chartmuseum binaries" make build-cross -make dist checksum cosign VERSION="${VERSION}" +make dist sbom checksum cosign VERSION="${VERSION}" echo "Pushing binaries to Azure" az storage blob upload-batch -s _dist/ -d "$AZURE_STORAGE_CONTAINER_NAME" --pattern 'chartmuseum-*' --connection-string "$AZURE_STORAGE_CONNECTION_STRING" diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh index ab6f88e7..38bb88e0 100755 --- a/scripts/release-notes.sh +++ b/scripts/release-notes.sh @@ -89,6 +89,8 @@ Download ChartMuseum ${RELEASE}. The common platform binaries are here: - [Linux s390x](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum | awk '{print $1}')) - [Windows amd64](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum | awk '{print $1}')) +You can download the SBOM for this release in SPDX format [here](https://get.helm.sh/chartmuseum-${RELEASE}.spdx). + You can use a [script to install](https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum) on any system with \`bash\`. ## What's Next diff --git a/scripts/sbom.sh b/scripts/sbom.sh new file mode 100755 index 00000000..4ac5e3e5 --- /dev/null +++ b/scripts/sbom.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +set -euo pipefail +: ${VERSION:?"VERSION environment variable is not set"} + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +cd $DIR/../ +mkdir -p ./_dist/ +pushd ./_dist/ + +# Initialize the configuration file +cat << EOF > .sbom.yaml +--- +namespace: https://get.helm.sh/chartmuseum-${RELEASE}.spdx +license: Apache-2.0 +name: ChartMuseum +artifacts: + - type: directory + source: .. +EOF + +for file in $(ls *.{gz,zip}); + do echo "Adding ${file} to SBOM" + echo " - type: file" >> .sbom.yaml + echo " source: ${file}" >> .sbom.yaml +done + +echo "Adding image ghcr.io/helm/chartmuseum:${VERSION}" +echo " - type: image" >> .sbom.yaml +echo " source: ghcr.io/helm/chartmuseum:${VERSION}" >> .sbom.yaml + +echo "Wrote configuration file:" +cat .sbom.yaml + +bom generate -c .sbom.yaml -o chartmuseum-${VERSION}.spdx + +rm .sbom.yaml +popd +echo "SBOM written to _dist/chartmuseum-${VERSION}.spdx"