Adds automated sbom creation and upload to publish-image step (#1887)

Co-authored-by: Lukas Hinterreiter <90035514+luhi-DT@users.noreply.github.com>
Dynatrace · Jun 22, 2023 · 37283a9 · 37283a9
1 parent e34995a
commit 37283a9
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 1 deletion.
diff --git a/.github/actions/upload-sbom/action.yaml b/.github/actions/upload-sbom/action.yaml
@@ -0,0 +1,31 @@
+name: Upload SBOM
+description: uploads a sbom for a given image to a registry
+inputs:
+  image:
+    description: full image to generate and attach sbom
+    required: true
+  sbom:
+    description: sbom of type cyclonedx to attach to image
+    required: true
+  signing-key:
+    description: private signing key
+    required: true
+  signing-password:
+    description: password for private signing key
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
+    - name: Attach sbom attestation to image
+      shell: bash
+      run: |
+        cosign attest -y --key env://COSIGN_PRIVATE_KEY  --type cyclonedx --predicate ${{ inputs.sbom }} ${{ inputs.image }}
+      env:
+        COSIGN_PRIVATE_KEY: ${{ inputs.signing-key }}
+        COSIGN_PASSWORD: ${{ inputs.signing-password }}
+    - name: Attach sbom attestation to image and sign keyless
+      shell: bash
+      run: |
+        cosign attest -y  --type cyclonedx --predicate ${{ inputs.sbom }} ${{ inputs.image }}
diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml
@@ -176,9 +176,66 @@ jobs:
           registry: ${{ matrix.url }}
           repository: ${{ secrets[matrix.repository] }}
           combined: true
+      - name: Get image digest
+        id: digest
+        env:
+          IMAGE: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}
+        run: |
+          hack/build/ci/get-image-digest.sh
       - name: Sign manifests for ${{matrix.registry}}
         uses: ./.github/actions/sign-image
         with:
-          image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}
+          image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{steps.digest.outputs.digest}}
+          signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          signing-password: ${{ secrets.COSIGN_PASSWORD }}
+  attach-sbom:
+    name: Attach sbom
+    environment: Release
+    needs: [ prepare, push, manifest ]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    strategy:
+      matrix:
+        registry: [gcr, dockerhub]
+        include:
+          - registry: gcr
+            url: gcr.io
+            repository: GCR_REPOSITORY
+            username: GCR_USERNAME
+            password: GCR_JSON_KEY
+          - registry: dockerhub
+            url: docker.io
+            repository: DOCKERHUB_REPOSITORY
+            username: DOCKERHUB_USERNAME
+            password: DOCKERHUB_PASSWORD
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Login to Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: ${{ matrix.url }}
+          username: ${{ secrets[matrix.username] }}
+          password: ${{ secrets[matrix.password] }}
+      - name: Get operator-image digest
+        id: operator-digest
+        env:
+          IMAGE: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}
+        run: |
+          hack/build/ci/get-image-digest.sh
+      - name: Create sbom for ${{matrix.registry}}
+        id: sbom
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
+        with:
+          image-ref: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{steps.operator-digest.outputs.digest}}
+          format: 'cyclonedx'
+          output: 'result.json'
+          skip-dirs: '/usr/share/dynatrace-operator/third_party_licenses'
+      - name: Upload sbom to ${{matrix.registry}}
+        uses: ./.github/actions/upload-sbom
+        with:
+          image: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{steps.operator-digest.outputs.digest}}
+          sbom: 'result.json'
           signing-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
           signing-password: ${{ secrets.COSIGN_PASSWORD }}