diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 67b4e2c..80c5dd6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -70,6 +70,7 @@ jobs: cargo binstall cargo-component --force --version ${{ env.CARGO_COMPONENT_VERSION }} cargo binstall wkg --force cargo binstall cargo-auditable cargo-audit + cargo binstall auditable2cdx - name: Build the component run: cargo auditable component build --release @@ -77,6 +78,10 @@ jobs: - name: Normalize COMPONENT_NAME and Append .wasm run: echo "COMPONENT_NAME_UNDERSCORED=${COMPONENT_NAME//-/_}.wasm" >> $GITHUB_ENV + - name: Extract the SBOM from the component + if: github.event_name != 'workflow_dispatch' + run: auditable2cdx target/wasm32-wasip1/release/${{ env.COMPONENT_NAME_UNDERSCORED }} >> ${ env.COMPONENT_NAME }.spdx.json + - name: Publish `:` to GitHub Container Registry if: github.event_name != 'workflow_dispatch' id: publish_versioned @@ -94,6 +99,10 @@ jobs: if: github.event_name != 'workflow_dispatch' run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_versioned.outputs.digest }} + - name: Sign the SBOM for the versioned Wasm component + if: github.event_name != 'workflow_dispatch' + run: cosign attest --type spdxjson --predicate ${ env.COMPONENT_NAME }.spdx.json ${{ steps.publish_versioned.outputs.digest }} + - name: Publish `:latest` release to GitHub Container Registry if: github.event_name != 'workflow_dispatch' id: publish_latest @@ -111,3 +120,6 @@ jobs: if: github.event_name != 'workflow_dispatch' run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_latest.outputs.digest }} + - name: Sign the SBOM for the latest Wasm component + if: github.event_name != 'workflow_dispatch' + run: cosign attest --type spdxjson --predicate ${ env.COMPONENT_NAME }.spdx.json ${{ steps.publish_latest.outputs.digest }}