Skip to content

Commit b56c93d

Browse files
kranurag7kranurag7
authored
Merge pull request #98 from SovereignCloudStack/kr/cosign-attest
🌱 use cosign attest and upgrade bom
2 parents 6ce9d64 + f28043b commit b56c93d

File tree

1 file changed

+3
-7
lines changed

1 file changed

+3
-7
lines changed

.github/workflows/release.yml

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ jobs:
4949
- name: Install Bom
5050
shell: bash
5151
run: |
52-
curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.4.1/bom-linux-amd64 -o bom
52+
curl -L https://github.com/kubernetes-sigs/bom/releases/download/v0.6.0/bom-amd64-linux -o bom
5353
sudo mv ./bom /usr/local/bin/bom
5454
sudo chmod +x /usr/local/bin/bom
5555
@@ -77,8 +77,6 @@ jobs:
7777
cache-to: type=gha, mode=max, scope=${{ github.workflow }}
7878

7979
- name: Sign Container Images
80-
env:
81-
COSIGN_EXPERIMENTAL: "true"
8280
run: |
8381
cosign sign --yes ghcr.io/sovereigncloudstack/cso@${{ steps.docker_build_release_cso.outputs.digest }}
8482
@@ -87,16 +85,14 @@ jobs:
8785
# To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed
8886
# To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479
8987
run: |
90-
bom generate -o sbom_ci_main_cso_${{ steps.metacso.outputs.version }}.spdx \
88+
bom generate -o sbom_ci_main_cso_${{ steps.metacso.outputs.version }}-spdx.json \
9189
--image=ghcr.io/sovereigncloudstack/cso:${{ steps.metacso.outputs.version }}
9290
9391
- name: Attach SBOM to Container Images cso
9492
run: |
95-
cosign attach sbom --sbom sbom_ci_main_cso_${{ steps.metacso.outputs.version }}.spdx ghcr.io/sovereigncloudstack/cso@${{ steps.docker_build_release_cso.outputs.digest }}
93+
cosign attest --yes --type=spdxjson --predicate sbom_ci_main_cso_${{ steps.metacso.outputs.version }}-spdx.json ghcr.io/sovereigncloudstack/cso@${{ steps.docker_build_release_cso.outputs.digest }}
9694
9795
- name: Sign SBOM Images cso
98-
env:
99-
COSIGN_EXPERIMENTAL: "true"
10096
run: |
10197
docker_build_release_digest="${{ steps.docker_build_release_cso.outputs.digest }}"
10298
image_name="ghcr.io/sovereigncloudstack/cso:${docker_build_release_digest/:/-}.sbom"

0 commit comments

Comments
 (0)