helm · jdolitsky · Jan 30, 2022 · Jan 30, 2022 · Jan 30, 2022 · Jan 30, 2022
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -47,18 +47,6 @@ jobs:
           echo ::set-output name=buildx_args::--platform ${DOCKER_PLATFORMS} \
             --build-arg revision=$(git rev-parse --short HEAD) \
             ${TAGS} .
-      - name: Install sigstore cosign
-        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
-        with:
-          cosign-release: 'v1.5.0'
-      - name: Release artifacts
-        id: release-artifacts
-        env:
-          AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
-          AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
         with:
@@ -82,14 +70,33 @@ jobs:
       - name: Docker Buildx (push)
         run: |
           docker buildx build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
-      - name: Sign the published Docker images (via GitHub OIDC token)
+      - name: Docker Check Manifest
+        run: |
+          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
+      - name: Install Kubernetes SBOM Tool
+        uses: puerco/bom-installer@aa0837e37b6965b5fc50adfad0683ec3c0a2c2c4
+      - name: Install sigstore cosign
+        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+        with:
+          cosign-release: 'v1.5.0'
+      - name: Release artifacts (includes SBOM and signatures)
+        id: release-artifacts
+        env:
+          AZURE_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_STORAGE_CONNECTION_STRING }}
+          AZURE_STORAGE_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }}
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+          VERSION="${{ steps.prepare.outputs.version }}" ./scripts/release-artifacts.sh
+      - name: Sign the published images (via GitHub OIDC token)
         env:
           COSIGN_EXPERIMENTAL: "true"
         run: |
           cosign sign ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
-      - name: Docker Check Manifest
+      - name: Attach SBOM to published images
+        env:
+          COSIGN_EXPERIMENTAL: "true"
         run: |
-          docker run --rm mplatform/mquery ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
+          cosign attach sbom --sbom _dist/chartmuseum-${{ steps.prepare.outputs.version }}.spdx ${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}
       - name: Clear
         if: always()
         run: |

diff --git a/Makefile b/Makefile
@@ -174,14 +174,18 @@ fetch-dist:
 #   shasum -a 256 -c chartmuseum-v0.13.1-darwin-amd64.tar.gz.sha256sum
 .PHONY: checksum
 checksum:
-	for f in $$(ls _dist/*.{gz,zip} 2>/dev/null) ; do \
+	for f in $$(ls _dist/*.{gz,spdx,zip} 2>/dev/null) ; do \
 		echo "Creating $${f}.sha256sum" ; \
 		shasum -a 256 "$${f}" | sed 's/_dist\///' > "$${f}.sha256sum" ; \
 	done
 
+.PHONY: sbom
+sbom:
+	@./scripts/sbom.sh
+
 .PHONY: cosign
 cosign:
-	for f in $$(ls _dist/*.{gz,zip,sha256sum} 2>/dev/null) ; do \
+	for f in $$(ls _dist/*.{gz,zip,sha256sum,spdx} 2>/dev/null) ; do \
 		echo "Creating $${f}.sig" ; \
 		cosign sign-blob --output-file "$${f}.sig" "$${f}"; \
 	done

diff --git a/scripts/release-artifacts.sh b/scripts/release-artifacts.sh
@@ -28,7 +28,7 @@ sudo apt install azure-cli
 
 echo "Building chartmuseum binaries"
 make build-cross
-make dist checksum cosign VERSION="${VERSION}"
+make dist sbom checksum cosign VERSION="${VERSION}"
 
 echo "Pushing binaries to Azure"
 az storage blob upload-batch -s _dist/ -d "$AZURE_STORAGE_CONTAINER_NAME" --pattern 'chartmuseum-*' --connection-string "$AZURE_STORAGE_CONNECTION_STRING"
diff --git a/scripts/release-notes.sh b/scripts/release-notes.sh
@@ -89,6 +89,8 @@ Download ChartMuseum ${RELEASE}. The common platform binaries are here:
 - [Linux s390x](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-linux-s390x.tar.gz.sha256sum | awk '{print $1}'))
 - [Windows amd64](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip) ([archive sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sig) / [checksum](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum) / [checksum sig](https://get.helm.sh/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum.sig) / $(cat _dist/chartmuseum-${RELEASE}-windows-amd64.zip.sha256sum | awk '{print $1}'))
 
+You can download the SBOM for this release in SPDX format [here](https://get.helm.sh/chartmuseum-${RELEASE}.spdx).
+
 You can use a [script to install](https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum) on any system with \`bash\`.
 
 ## What's Next

diff --git a/scripts/sbom.sh b/scripts/sbom.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+: ${VERSION:?"VERSION environment variable is not set"}
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $DIR/../
+mkdir -p ./_dist/
+pushd ./_dist/
+
+# Initialize the configuration file
+cat << EOF > .sbom.yaml
+---
+namespace: https://get.helm.sh/chartmuseum-${RELEASE}.spdx
+license: Apache-2.0
+name: ChartMuseum
+artifacts:
+  - type: directory
+    source: ..
+EOF
+
+for file in $(ls *.{gz,zip}); 
+    do echo "Adding ${file} to SBOM"
+    echo "  - type: file"  >> .sbom.yaml
+    echo "    source: ${file}" >> .sbom.yaml
+done
+
+echo "Adding image ghcr.io/helm/chartmuseum:${VERSION}"
+echo "  - type: image" >> .sbom.yaml
+echo "    source: ghcr.io/helm/chartmuseum:${VERSION}" >> .sbom.yaml
+
+echo "Wrote configuration file:"
+cat .sbom.yaml
+
+bom generate -c .sbom.yaml -o chartmuseum-${VERSION}.spdx
+
+rm .sbom.yaml
+popd
+echo "SBOM written to _dist/chartmuseum-${VERSION}.spdx"