Skip to content

ci: attach SPDX SBOM to the application images (#109)#113

Merged
toddysm merged 1 commit into
mainfrom
feature/image-sbom
Jul 1, 2026
Merged

ci: attach SPDX SBOM to the application images (#109)#113
toddysm merged 1 commit into
mainfrom
feature/image-sbom

Conversation

@toddysm

@toddysm toddysm commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Implements #109 (tracked by #111).

Enables SBOM generation in the build / cssc-dashboard workflow (docker buildx build --sbom=true): each application image gets an SPDX SBOM per platform, attached as an OCI referrer so it travels with the image in GHCR.

actionlint clean.

Enable buildx SBOM generation (--sbom=true) so each app image carries an SPDX
SBOM per platform as an OCI referrer. Adds docs/reference/image-attestations.md.
Closes #109.
Copilot AI review requested due to automatic review settings July 1, 2026 03:21

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables generation of per-platform SPDX SBOMs for the CSSC Dashboard application images during the GitHub Actions build, and documents how to discover/retrieve those SBOM attestations from GHCR as OCI referrers.

Changes:

  • Enable BuildKit SBOM generation in the build / cssc-dashboard workflow by switching docker buildx build --sbom=true.
  • Add documentation describing the OCI-referrer attestation model and how to retrieve SBOMs via buildx imagetools inspect or oras discover.
  • Link the new documentation from the reference index.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
docs/reference/README.md Adds a reference entry pointing to the new image attestation documentation.
docs/reference/image-attestations.md Documents SBOM attestations for CSSC Dashboard images and how to retrieve/discover them.
.github/workflows/build-cssc-dashboard.yml Enables per-platform SPDX SBOM generation and notes it in the workflow summary output.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@toddysm toddysm merged commit d05c0bf into main Jul 1, 2026
4 checks passed
@toddysm toddysm deleted the feature/image-sbom branch July 1, 2026 03:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants