Skip to content

Commit 43e81e2

Browse files
crazy-maxcrazy-max
committed
pin buildkit syft scanner image
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
1 parent 6a1cfbc commit 43e81e2

File tree

2 files changed

+16
-3
lines changed

2 files changed

+16
-3
lines changed

.github/workflows/bake.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -139,6 +139,7 @@ on:
139139
env:
140140
BUILDX_VERSION: "v0.30.1"
141141
BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
142+
SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
142143
DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
143144
COSIGN_VERSION: "v3.0.2"
144145
LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ -165,6 +166,7 @@ jobs:
165166
id: set
166167
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
167168
env:
169+
INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
168170
INPUT_MATRIX-SIZE-LIMIT: ${{ env.MATRIX_SIZE_LIMIT }}
169171
INPUT_RUNNER: ${{ inputs.runner }}
170172
INPUT_ARTIFACT-UPLOAD: ${{ inputs.artifact-upload }}
@@ -184,6 +186,7 @@ jobs:
184186
const { GitHub } = require('@docker/actions-toolkit/lib/github');
185187
const { Util } = require('@docker/actions-toolkit/lib/util');
186188
189+
const inpSbomImage = core.getInput('sbom-image');
187190
const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10);
188191
189192
const inpRunner = core.getInput('runner');
@@ -236,7 +239,7 @@ jobs:
236239
def = await bake.getDefinition({
237240
files: inpFiles,
238241
overrides: inpSet,
239-
sbom: inpSbom ? 'true' : 'false',
242+
sbom: inpSbom ? `generator=${inpSbomImage}` : 'false',
240243
source: bakeSource,
241244
targets: [inpTarget],
242245
githubToken: inpGitHubToken
@@ -462,6 +465,7 @@ jobs:
462465
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
463466
env:
464467
INPUT_PLATFORM: ${{ matrix.platform }}
468+
INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
465469
INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
466470
INPUT_CACHE: ${{ inputs.cache }}
467471
INPUT_CACHE-SCOPE: ${{ inputs.cache-scope }}
@@ -491,6 +495,7 @@ jobs:
491495
const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : '';
492496
core.setOutput('platform-pair-suffix', platformPairSuffix);
493497
498+
const inpSbomImage = core.getInput('sbom-image');
494499
const inpLocalExportDir = core.getInput('local-export-dir');
495500
496501
const inpCache = core.getBooleanInput('cache');
@@ -524,7 +529,7 @@ jobs:
524529
const def = await bake.getDefinition({
525530
files: inpFiles,
526531
overrides: inpSet,
527-
sbom: inpSbom ? 'true' : 'false',
532+
sbom: inpSbom ? `generator=${inpSbomImage}` : 'false',
528533
source: bakeSource,
529534
targets: [inpTarget],
530535
githubToken: inpGitHubToken

.github/workflows/build.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,7 @@ on:
146146
env:
147147
BUILDX_VERSION: "v0.30.1"
148148
BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
149+
SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
149150
DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
150151
COSIGN_VERSION: "v3.0.2"
151152
LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ -423,6 +424,7 @@ jobs:
423424
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
424425
env:
425426
INPUT_PLATFORM: ${{ matrix.platform }}
427+
INPUT_SBOM-IMAGE: ${{ env.SBOM_IMAGE }}
426428
INPUT_LOCAL-EXPORT-DIR: ${{ env.LOCAL_EXPORT_DIR }}
427429
INPUT_ANNOTATIONS: ${{ inputs.annotations }}
428430
INPUT_CACHE: ${{ inputs.cache }}
@@ -432,6 +434,7 @@ jobs:
432434
INPUT_CONTEXT: ${{ inputs.context }}
433435
INPUT_OUTPUT: ${{ inputs.output }}
434436
INPUT_PUSH: ${{ inputs.push }}
437+
INPUT_SBOM: ${{ inputs.sbom }}
435438
INPUT_TARGET: ${{ inputs.target }}
436439
INPUT_META-IMAGES: ${{ inputs.meta-images }}
437440
INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }}
@@ -445,6 +448,8 @@ jobs:
445448
const inpPlatform = core.getInput('platform');
446449
const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : '';
447450
core.setOutput('platform-pair-suffix', platformPairSuffix);
451+
452+
const inpSbomImage = core.getInput('sbom-image');
448453
const inpLocalExportDir = core.getInput('local-export-dir');
449454
450455
const inpAnnotations = core.getMultilineInput('annotations');
@@ -455,6 +460,7 @@ jobs:
455460
const inpLabels = core.getMultilineInput('labels');
456461
const inpOutput = core.getInput('output');
457462
const inpPush = core.getBooleanInput('push');
463+
const inpSbom = core.getBooleanInput('sbom');
458464
const inpTarget = core.getInput('target');
459465
460466
const inpMetaImages = core.getMultilineInput('meta-images');
@@ -486,6 +492,8 @@ jobs:
486492
core.setOutput('platform', inpPlatform);
487493
}
488494
495+
core.setOutput('sbom', inpSbom ? `generator=${inpSbomImage}` : 'false');
496+
489497
if (inpCache) {
490498
core.setOutput('cache-from', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix}`);
491499
core.setOutput('cache-to', `type=gha,scope=${inpCacheScope || inpTarget || 'buildkit'}${platformPairSuffix},mode=${inpCacheMode}`);
@@ -530,7 +538,7 @@ jobs:
530538
outputs: ${{ steps.prepare.outputs.output }}
531539
platforms: ${{ steps.prepare.outputs.platform }}
532540
provenance: ${{ steps.prepare.outputs.provenance }}
533-
sbom: ${{ inputs.sbom }}
541+
sbom: ${{ steps.prepare.outputs.sbom }}
534542
secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
535543
shm-size: ${{ inputs.shm-size }}
536544
target: ${{ inputs.target }}

0 commit comments

Comments
 (0)