.github/workflows/sbom.yml

name: Generate SBOMs

on:
  workflow_call:
    inputs:
      image-name:
        type: string
        required: true
      image-digest:
        type: string
        required: true

jobs:
  sbom:
    name: Generate SBOM, sign and attach them to OCI image
    permissions:
      packages: write
      id-token: write

    runs-on: ubuntu-latest
    steps:
      - name: Sanitize image name
        run: |
          image="${{ inputs.image-name }}"
          image="${image//_/-}"
          echo "image=$image" >> $GITHUB_ENV

      - name: Install cosign
        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Install syft
        uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Find repository name
        shell: bash
        run: |
          set -e
          IMG_REPOSITORY_NAME=$( echo ${{ github.repository }} | awk '{print tolower($0)}' )
          echo IMG_REPOSITORY_NAME=${IMG_REPOSITORY_NAME} >> $GITHUB_ENV

      - name: Create SBOM file
        shell: bash
        run: |
          SYFT=$(which syft)
          sudo $SYFT \
            -o spdx-json \
            --file $image-sbom.spdx \
            ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/$image@${{ inputs.image-digest }}

      - name: Sign SBOM file
        run: |
          cosign sign-blob --yes \
            --output-certificate $image-sbom.spdx.cert \
            --output-signature $image-sbom.spdx.sig \
            $image-sbom.spdx

      - name: Attach SBOM to container image
        shell: bash
        run: |
          cosign attach \
            sbom --sbom $image-sbom.spdx \
            ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/$image@${{ inputs.image-digest }}

      - name: Sign SBOM file pushed to OCI registry
        shell: bash
        run: |
          set -e
          SBOM_TAG="$(echo ${{ inputs.image-digest }} | sed -e 's/:/-/g').sbom"
          cosign sign --yes \
            ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/$image:${SBOM_TAG}

      - name: Upload SBOMs as artifacts
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: $image-sbom-*