diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1a29ff5..91a9add 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -90,11 +90,26 @@ jobs: uses: docker/bake-action@v4 with: targets: artifact + provenance: mode=max + sbom: true pull: true set: | *.platform=${{ matrix.platform }} *.cache-from=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }} *.cache-to=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }},mode=max + - + name: Rename provenance and sbom + working-directory: ${{ env.DESTDIR }}/artifact + run: | + binname=$(find . -name 'swarm-cronjob_*') + filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//') + mv "provenance.json" "${filename}.provenance.json" + mv "sbom-binary.spdx.json" "${filename}.sbom.json" + find . -name 'sbom*.json' -exec rm {} \; + - + name: List artifacts + run: | + tree -nh ${{ env.DESTDIR }} - name: Upload artifact uses: actions/upload-artifact@v4 @@ -126,6 +141,7 @@ jobs: uses: docker/bake-action@v4 with: targets: release + provenance: false - name: GitHub Release uses: softprops/action-gh-release@v1 @@ -205,6 +221,8 @@ jobs: ./docker-bake.hcl ${{ steps.meta.outputs.bake-file }} targets: image-all + provenance: mode=max + sbom: true pull: true push: ${{ github.event_name != 'pull_request' }} set: | diff --git a/Dockerfile b/Dockerfile index 046bcb7..7cb7ffd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,6 +48,8 @@ COPY --link --from=build /usr/bin/swarm-cronjob /swarm-cronjob.exe FROM binary-unix AS binary-darwin FROM binary-unix AS binary-linux FROM binary-$TARGETOS AS binary +# enable scanning for this stage +ARG BUILDKIT_SBOM_SCAN_STAGE=true FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS build-artifact RUN apk add --no-cache bash tar zip