Skip to content

use github's own privenance and sbom #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cbrady merged 2 commits into from
Sep 29, 2025
Merged

use github's own privenance and sbom #6

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f3f2bfa
use github's own privenance and sbom
cbrady Sep 26, 2025
eca586f
turn it to the max
cbrady Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 3 additions & 44 deletions .github/workflows/release-docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@ jobs:
# Build and push Docker image
docker:
runs-on: runs-on=${{ github.run_id }}/runner=4cpu-linux-arm64
outputs:
digest: ${{ steps.build.outputs.digest }}
image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
permissions:
contents: read
security-events: write
Expand Down Expand Up @@ -68,20 +65,15 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Enable built-in attestations (provenance and SBOM)
provenance: mode=max
sbom: true
# QEMU optimization: Use native cross-compilation instead of emulation
build-args: |
BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}

# Generate build provenance attestation
- name: Generate build attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true

# Security: Scan the built image
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.1
Expand All @@ -90,36 +82,3 @@ jobs:
format: 'table'
# Output will be shown in the GitHub Actions log

# Generate SBOM and attestation for supply chain security
sbom:
needs: [docker]
runs-on: runs-on=${{ github.run_id }}/runner=1cpu-linux-arm64
permissions:
contents: read
id-token: write # For signing
attestations: write # For SBOM attestations

steps:
- name: Checkout repo
uses: actions/checkout@v5

- name: Generate SBOM
uses: anchore/sbom-action@v0.20.6
with:
path: .
format: spdx-json
output-file: sbom.spdx.json

- name: Attest SBOM
uses: actions/attest-sbom@v1
with:
subject-name: ${{ needs.docker.outputs.image-name }}
subject-digest: ${{ needs.docker.outputs.digest }}
sbom-path: sbom.spdx.json
push-to-registry: true

- name: Upload SBOM as artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.spdx.json