chore(workflow): add generate-sbom.yml

Signed-off-by: Derek Su <derek.su@suse.com>
derekbit · Sep 20, 2024 · 8d7ab0a · 8d7ab0a
1 parent 85d77b2
commit 8d7ab0a
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/.github/workflows/generate-sbom.yml b/.github/workflows/generate-sbom.yml
@@ -0,0 +1,62 @@
+name: Generate-SBOM
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag that needs to generate sbom"
+        required: true
+jobs:
+  generate-sbom:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+    - name: Install Syft
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.5.0
+    - name: Generate Key
+      run: |
+        cosign generate-key-pair
+      env:
+        COSIGN_PASSWORD: ""
+    - name: Generate SBOM
+      run: |
+        mkdir sbom
+        LONGHORN_IMAGES_FILE=deploy/longhorn-images.txt
+        while read -r IMAGE; do
+          IMAGE_NAME="${IMAGE#*/}"
+          FILE_PREFIX="${IMAGE_NAME//:/-}"
+          syft -q "${IMAGE}" -o json --platform=linux/amd64 > "sbom/${FILE_PREFIX}-amd64.sbom"
+          if [[ "${IMAGE}" != *"openshift-origin-oauth-proxy"* ]]; then
+            syft -q "${IMAGE}" -o json --platform=linux/arm64 > "sbom/${FILE_PREFIX}-arm64.sbom"
+          fi
+        done < "${LONGHORN_IMAGES_FILE}"
+    - name: Sign SBOM
+      run: |
+        for SBOM_FILE in "sbom"/*; do
+          SIG_FILE_NAME="${SBOM_FILE%.*}.sig"
+          cosign sign-blob -y "${SBOM_FILE}" --key cosign.key --output-signature "${SIG_FILE_NAME}"
+        done
+    - name: Verify SBOM
+      run: |
+        for SBOM_FILE in "sbom"/*.sbom; do
+          SIG_FILE_NAME="${SBOM_FILE%.*}.sig"
+          cosign verify-blob --key cosign.pub --signature "$(cat "${SIG_FILE_NAME}")" "${SBOM_FILE}"
+        done
+    - name: Ship Public Key
+      run: |
+        cp cosign.pub sbom/cosign.pub
+    - name: Tar Assets
+      run: |
+        tar zcvf sbom.tar.gz sbom
+    - name: Upload Release Assets
+      uses: AButler/upload-release-assets@v3.0
+      with:
+        files: sbom.tar.gz
+        repo-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
+        release-tag: ${{ inputs.tag || '' }}
+      if: ${{ always() }}