ci: fix CLI SBOM generation (#1005)

This commit is contained in:
Nils Hanke 2023-01-18 11:36:39 +01:00 committed by GitHub
parent 411dfed18f
commit fc2a285270
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -100,38 +100,57 @@ jobs:
signed-sbom: signed-sbom:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Download Syft & Grype
shell: bash
working-directory: /tmp
run: |
SYFT_VERSION=0.66.1
GRYPE_VERSION=0.55.0
curl -Lo syft_${SYFT_VERSION}_linux_amd64.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
sudo install syft /usr/bin/syft
syft version
curl -Lo grype_${GRYPE_VERSION}_linux_amd64.tar.gz https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
sudo install grype /usr/bin/grype
grype version
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Download syft & grype # Build one CLI since Syft's go-module catalog will default to binary parsing.
shell: bash # Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
run: | # This seems to work fine for one OS & one arch as long as we don't have OS specific imports.
SYFT_VERSION=0.62.1 # Luckily, so far this does not seem to be the case.
GRYPE_VERSION=0.53.1 # As of v2.4.0, all SBOMs seem to have the same packages for [linux|darwin] & [amd64|arm64].
curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz # If this changes, this should be split up into multiple builds & multiple SBOMs.
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz - name: Build CLI (amd64, linux)
./syft version uses: ./.github/actions/build_cli
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz with:
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz targetOS: "linux"
./grype version targetArch: "amd64"
pwd >> "$GITHUB_PATH"
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Build signed SBOM - name: Build signed SBOM
run: |
syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none
env: env:
COSIGN_EXPERIMENTAL: 1 COSIGN_EXPERIMENTAL: 1
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run: |
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed
- name: Upload Constellation CLI SBOM - name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2