ci: add sbom attestation step to release action (keptn#2873)

Signed-off-by: r3drun3 <[email protected]>
mowies · Jan 25, 2024 · 844a7ad · 844a7ad
1 parent 20f5705
commit 844a7ad
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -202,6 +202,17 @@ jobs:
         with:
           tag_name: ${{ matrix.config.tagName }}
           files: ./sbom-${{ matrix.config.name }}.spdx.json
+
+      - name: Attest the Image with SBOM
+        env:
+          IMAGE_DIGEST: ${{ steps.docker_build_image.outputs.digest }}
+        run: |
+          cosign attest --yes --type spdx --predicate ./sbom-${{ matrix.config.name }}.spdx.json ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+          cosign verify-attestation --type spdx \
+            --certificate-identity-regexp="https://github.com/keptn/lifecycle-toolkit/.*" \
+            --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+            ${{ env.IMAGE_NAME }}@${{ env.IMAGE_DIGEST }}
+
   update-examples:
     name: Update examples
     needs: