-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
135 lines (129 loc) · 4.42 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: 'Nais Salsa Action'
description: 'Generate, sign and upload SBOM'
inputs:
ecosystem:
description: |-
(Optional) action finds the actual build file in the repository but you can also specify a ecosystem to generate
sbom from. Several of ecosystems have different type of build systems, then specify key=value,
for node e.g. node=npm and for python e.g. python=poetry etc. maven and gradle only supports wrappers.
If the application is depending on private repositories, please see 'bring your own sbom' alias 'byo-sbom'
required: false
image:
description: |-
image to sign and upload attestation, must be in the form of <image>:<tag>@<digest>
required: true
with-dependencies:
description: |-
Generate and include dependencies in the SBOM
required: false
default: "true"
build-context:
description: |-
current working directory for sbom generation, defaults to root of the repository
useful in mono-repos or when the build file is not in the root of the repository
required: false
default: '.'
go-main-dir:
description: |-
main directory for go ecosystem
required: false
default: ''
byo-sbom:
description: |-
bring your own SBOM, use existing SBOM file instead of auto generating, must be a json file and
default format is CycloneDX, see: https://github.com/sigstore/cosign/blob/main/doc/cosign_attest.md for more info.
If the file is not in the root of the repository, please see 'build-context'
required: false
sbom:
description: |-
filename of the SBOM file, defaults to bom.json
required: false
default: 'bom.json'
type:
description: |-
type of the SBOM file, defaults to cyclonedx
required: false
default: 'cyclonedx'
workload-identity-provider:
description: |-
The workload identity provider for google service account impersonation
required: false
default: ''
google-service-account:
description: |-
Name of google service account to impersonate
required: false
default: ''
key:
description: |-
path to the private key file or KMS URI
required: false
default: ''
password:
description: |-
password for the private key file
required: false
default: ''
kms-credentials:
description: |-
The sa credentials for the KMS key
required: false
default: ''
runs:
using: composite
steps:
- name: Check Image format
run: |
if [[ ${{ inputs.image }} != *@sha256:* ]]; then
echo "Image must be in the form of <image>@<digest>"
exit 1
fi
echo IMAGE=${{ inputs.image }} >> $GITHUB_ENV
shell: bash
- name: Bring your own SBOM
if: ${{ inputs.byo-sbom != '' }}
run: |
if [ ! -f ${{ inputs.byo-sbom }} ]; then
echo "File ${{ inputs.byo-sbom }} not found!"
exit 1
fi
if [[ ${{ inputs.byo-sbom }} != *.json ]]; then
echo "File ${{ inputs.byo-sbom }} is not a json file!"
exit 1
fi
shell: bash
- name: Sign and attest byo-SBOM
if: ${{ inputs.byo-sbom != '' }}
uses: ./attest
with:
image: ${{ inputs.image }}
sbom: ${{ inputs.byo-sbom }}
type: ${{ inputs.type }}
workload-identity-provider: ${{ inputs.workload-identity-provider }}
google-service-account: ${{ inputs.google-service-account }}
key: ${{ inputs.key }}
password: ${{ inputs.password }}
kms-credentials: ${{ inputs.kms-credentials }}
- name: Generate SBOM
if: ${{ inputs.byo-sbom == '' }}
id: generate-sbom
uses: ./sbom
with:
ecosystem: ${{ inputs.ecosystem }}
image: ${{ inputs.image }}
build-context: ${{ inputs.build-context }}
go-main-dir: ${{ inputs.go-main-dir }}
sbom: ${{ inputs.sbom }}
with-dependencies: ${{ inputs.with-dependencies }}
- name: Sign and attest generated SBOM
if: ${{ inputs.byo-sbom == '' }}
uses: ./attest
with:
image: ${{ inputs.image }}
sbom: ${{ steps.generate-sbom.outputs.sbom-path }}
type: ${{ inputs.type }}
workload-identity-provider: ${{ inputs.workload-identity-provider }}
google-service-account: ${{ inputs.google-service-account }}
key: ${{ inputs.key }}
password: ${{ inputs.password }}
kms-credentials: ${{ inputs.kms-credentials }}