0
0
Fork 0
mirror of https://github.com/crazy-max/diun.git synced 2025-03-17 04:42:39 +00:00

ci: generate sbom and provenance

This commit is contained in:
CrazyMax 2024-03-10 14:55:22 +01:00
parent 9c28a908df
commit 46880738d6
No known key found for this signature in database
GPG key ID: ADE44D8C9D44FBE4
2 changed files with 23 additions and 0 deletions
.github/workflows
Dockerfile

View file

@ -114,11 +114,26 @@ jobs:
uses: docker/bake-action@v4
with:
targets: artifact
provenance: mode=max
sbom: true
pull: true
set: |
*.platform=${{ matrix.platform }}
*.cache-from=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }}
*.cache-to=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }},mode=max
-
name: Rename provenance and sbom
working-directory: ${{ env.DESTDIR }}/artifact
run: |
binname=$(find . -name 'diun_*')
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binary.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
-
name: Upload artifact
uses: actions/upload-artifact@v4
@ -143,6 +158,10 @@ jobs:
path: ${{ env.DESTDIR }}
pattern: diun-*
merge-multiple: true
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
@ -231,6 +250,8 @@ jobs:
./docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
targets: image-all
provenance: mode=max
sbom: true
pull: true
push: ${{ github.event_name != 'pull_request' }}
set: |

View file

@ -62,6 +62,8 @@ COPY --link --from=build /usr/bin/diun /diun.exe
FROM binary-unix AS binary-darwin
FROM binary-unix AS binary-linux
FROM binary-$TARGETOS AS binary
# enable scanning for this stage
ARG BUILDKIT_SBOM_SCAN_STAGE=true
FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS build-artifact
RUN apk add --no-cache bash tar zip