feat: SBOM pipeline for data#691
Merged
castrojo merged 3 commits intoprojectbluefin:mainfrom Mar 31, 2026
Merged
Conversation
- scripts/fetch-github-sbom.js: fetch SLSA attestation verification results from GHCR for all Bluefin image streams, write static/data/sbom-attestations.json - package.json: add standalone npm run fetch-sbom script (not wired into fetch-data chain — cosign not available in pages.yml) - static/data/sbom-attestations.json: commit seed file so static import never cold-starts; .gitignore exception added - src/types/sbom.ts: TypeScript interfaces for attestation cache - .github/workflows/update-sbom-cache.yml: nightly job to refresh cache using PROJECT_READ_TOKEN for cross-org package reads - src/components/ImagesCatalog.tsx: show attestation status in Verify Provenance tab from cache - src/components/FeedItems.tsx: look up attestation state per release tag in Supply Chain block; distinguishes present vs verified Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ckage versions - fetch-github-sbom.js: complete rewrite with oras-based SBOM download, Syft JSON parsing, kernel lowest-semver selection, epoch stripping, 3-way cache logic (full hit / partial / miss), atomic write, LTS keyless fix - update-sbom-cache.yml: add oras-project/setup-oras step and GHCR login so oras can access the OCI referrers API for public packages - fetch-github-images.js: load sbom-attestations.json and overlay kernel, gnome, fedora from SBOM into stream versions; NVIDIA kept from feeds - fetch-github-driver-versions.js: load sbom-attestations.json and overlay kernel, mesa per-row from SBOM; NVIDIA/hweKernel kept from releases - src/types/sbom.ts: add PackageVersions interface and field on SbomRelease Fixes: C-1 (missing downloadSbom/extractPackageVersions), C-2 (null cache poison), C-3 (wrong destructure), M-8 (LTS keyless flag), M-2 (kernel sort), M-6 (normaliseLtsTag regex), H-1 (oras not installed), H-3 (no oras login), H-6 (non-atomic write) Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove the keyless:false special-case for bluefin-lts. All streams now use the same OIDC verify-attestation path. LTS will be migrated to OIDC keyless signing upstream; handling it identically avoids a permanent divergence in the pipeline. Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a system for fetching and displaying SBOM (Software Bill of Materials) and attestation metadata for Bluefin image streams. A new script, fetch-github-sbom.js, has been added to verify image attestations using cosign and extract package versions from Syft SBOMs via oras. The existing data-fetching scripts for driver versions and images were updated to overlay this SBOM-sourced data, ensuring more accurate versioning for components like the kernel and GNOME. Furthermore, the FeedItems and ImagesCatalog frontend components now integrate this data to display attestation verification status in the UI. I have no feedback to provide as there were no review comments to assess.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.