build: transparency on package versions

Signed-off-by: Viet Nguyen Duc <[email protected]>

Author: VietND96

.github/workflows/deploy.yml

@@ -151,6 +151,8 @@ jobs:
           retry_wait_seconds: 300
           continue_on_error: true
           command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_latest
+      - name: Update package versions
+        run: make generate_latest_sbom
       - name: Tag browser images
         if: github.event.inputs.skip-build-push-image != 'true'
         uses: nick-invision/retry@master
@@ -201,4 +203,6 @@ jobs:
           prerelease: ${{ env.PRERELEASE }}
           draft: false
           append_body: false
-          files: ${{ env.PUBLISH_YAML_MANIFESTS }}
+          files: |
+            package_versions.txt
+            ${{ env.PUBLISH_YAML_MANIFESTS }}

.github/workflows/nightly.yml

@@ -113,6 +113,8 @@ jobs:
           max_attempts: 3
           retry_wait_seconds: 120
           command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_nightly
+      - name: Update package versions
+        run: make generate_nightly_sbom
       - name: Push Helm chart to registry
         uses: nick-invision/retry@master
         with:
@@ -151,6 +153,7 @@ jobs:
           name: "Nightly"
           body_path: "release_notes.md"
           files: |
+            package_versions.txt
             ${{ env.CHART_PACKAGE_PATH }}
           generate_release_notes: true
           draft: false

Makefile

@@ -25,6 +25,7 @@ CURRENT_PLATFORM := $(shell if [ `arch` = "aarch64" ]; then echo "linux/arm64";
 PLATFORMS := $(or $(PLATFORMS),$(shell echo $$PLATFORMS),$(CURRENT_PLATFORM))
 SEL_PASSWD := $(or $(SEL_PASSWD),$(SEL_PASSWD),secret)
 CHROMIUM_VERSION := $(or $(CHROMIUM_VERSION),$(CHROMIUM_VERSION),latest)
+SBOM_OUTPUT := $(or $(SBOM_OUTPUT),$(SBOM_OUTPUT),package_versions.txt)
 
 all: hub \
 	distributor \
@@ -341,6 +342,9 @@ release_latest:
 	docker push $(NAME)/standalone-docker:latest
 	docker push $(NAME)/video:latest
 
+generate_latest_sbom:
+	NAME=$(NAME) FILTER_IMAGE_TAG=latest OUTPUT_FILE=$(SBOM_OUTPUT) ./generate_sbom.sh
+
 tag_nightly:
 	docker tag $(NAME)/base:$(TAG_VERSION) $(NAME)/base:nightly
 	docker tag $(NAME)/hub:$(TAG_VERSION) $(NAME)/hub:nightly
@@ -383,6 +387,9 @@ release_nightly:
 	docker push $(NAME)/standalone-docker:nightly
 	docker push $(NAME)/video:nightly
 
+generate_nightly_sbom:
+	NAME=$(NAME) FILTER_IMAGE_TAG=nightly OUTPUT_FILE=$(SBOM_OUTPUT) ./generate_sbom.sh
+
 tag_major_minor:
 	docker tag $(NAME)/base:$(TAG_VERSION) $(NAME)/base:$(MAJOR)
 	docker tag $(NAME)/hub:$(TAG_VERSION) $(NAME)/hub:$(MAJOR)

generate_sbom.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+NAMESPACE=${NAME:-selenium}
+FILTER_IMAGE_TAG=${FILTER_IMAGE_TAG:-"*"}
+OUTPUT_FILE=${OUTPUT_FILE:-"package_versions.txt"}
+
+# List all Docker images matching tag
+images=$(docker images --filter=reference=${NAMESPACE}'/*:'${FILTER_IMAGE_TAG} --format "{{.Repository}}:{{.Tag}}")
+
+# Check if there are any images
+if [ -z "$images" ]; then
+  echo "No Docker images found."
+  exit 1
+fi
+
+echo -n "" >${OUTPUT_FILE}
+# Iterate through each image and generate SBOM
+for image in $images; do
+  echo "Generating SBOM for image: $image"
+  echo "==================== $image ====================" >>${OUTPUT_FILE}
+  docker sbom $image >>${OUTPUT_FILE}
+  echo "" >>${OUTPUT_FILE}
+done
+
+echo "SBOM generation completed for all images."

tests/charts/make/chart_setup_env.sh

@@ -57,6 +57,10 @@ chmod +x ./docker-compose
 sudo mv ./docker-compose /usr/libexec/docker/cli-plugins
 docker compose version
 echo "==============================="
+echo "Install Docker SBOMs plugin"
+curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --
+docker sbom --version
+echo "==============================="
 if [ "${CLUSTER}" = "kind" ]; then
     echo "Installing kind for AMD64 / ARM64"
     curl -fsSL -o ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(dpkg --print-architecture)