-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🤖 Add SBOM artifacts to CI pipelines #998
Conversation
Signed-off-by: mudler <mudler@c3os.io>
Signed-off-by: mudler <mudler@c3os.io>
✅ Deploy Preview for kairos-io canceled.
|
Signed-off-by: mudler <mudler@c3os.io>
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## master #998 +/- ##
=======================================
Coverage 22.79% 22.79%
=======================================
Files 22 22
Lines 1610 1610
=======================================
Hits 367 367
Misses 1179 1179
Partials 64 64 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
@@ -118,22 +118,6 @@ jobs: | |||
with: | |||
files: | | |||
release/* | |||
- run: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lol
ARG FLAVOR | ||
COPY +syft/syft /usr/bin/syft | ||
RUN syft / -o json=sbom.syft.json -o spdx-json=sbom.spdx.json | ||
SAVE ARTIFACT /build/sbom.syft.json sbom.syft.json AS LOCAL core-${FLAVOR}-${VERSION}-sbom.syft.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldnt it be ${VARIANT}-${FLAVOR}-${VERSION}
? Not sure if we ever change the variant but in case we do that would trickle down to the naming here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
small nit, feel free to ignore
What this PR does / why we need it: This PR introduces generated images SBOM to our releases
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Part of #51
This PR introduces https://github.com/anchore/syft generating a SBOM which is attached at the end of the image build process. It also adds the SBOM to the uploaded artifacts (jobs and releases)
Example generated SBOM files: core-debian-v1.6.0-14-g193c740-dirty-sbom.s.zip