diff --git a/.github/workflows/generate-sbom.yml b/.github/workflows/generate-sbom.yml new file mode 100644 index 0000000000..bf1773a63d --- /dev/null +++ b/.github/workflows/generate-sbom.yml @@ -0,0 +1,62 @@ +name: Generate-SBOM +on: + release: + types: [published] + workflow_dispatch: + inputs: + tag: + description: "Tag that needs to generate sbom" + required: true +jobs: + generate-sbom: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + - name: Generate Key + run: | + cosign generate-key-pair + env: + COSIGN_PASSWORD: "" + - name: Generate SBOM + run: | + mkdir sbom + LONGHORN_IMAGES_FILE=deploy/longhorn-images.txt + while read -r IMAGE; do + IMAGE_NAME="${IMAGE#*/}" + FILE_PREFIX="${IMAGE_NAME//:/-}" + syft -q "${IMAGE}" -o json --platform=linux/amd64 > "sbom/${FILE_PREFIX}-amd64.sbom" + if [[ "${IMAGE}" != *"openshift-origin-oauth-proxy"* ]]; then + syft -q "${IMAGE}" -o json --platform=linux/arm64 > "sbom/${FILE_PREFIX}-arm64.sbom" + fi + done < "${LONGHORN_IMAGES_FILE}" + - name: Sign SBOM + run: | + for SBOM_FILE in "sbom"/*; do + SIG_FILE_NAME="${SBOM_FILE%.*}.sig" + cosign sign-blob -y "${SBOM_FILE}" --key cosign.key --output-signature "${SIG_FILE_NAME}" + done + - name: Verify SBOM + run: | + for SBOM_FILE in "sbom"/*.sbom; do + SIG_FILE_NAME="${SBOM_FILE%.*}.sig" + cosign verify-blob --key cosign.pub --signature "$(cat "${SIG_FILE_NAME}")" "${SBOM_FILE}" + done + - name: Ship Public Key + run: | + cp cosign.pub sbom/cosign.pub + - name: Tar Assets + run: | + tar zcvf sbom.tar.gz sbom + - name: Upload Release Assets + uses: AButler/upload-release-assets@v3.0 + with: + files: sbom.tar.gz + repo-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }} + release-tag: ${{ inputs.tag || '' }} + if: ${{ always() }} \ No newline at end of file