ci: inspect sbom and provenance

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2023-11-17 11:34:55 +01:00
parent b625868b13
commit fae8018297
No known key found for this signature in database
GPG Key ID: ADE44D8C9D44FBE4

@ -598,12 +598,24 @@ jobs:
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
attrs: include:
- '' - target: image
- mode=max output: type=image,name=localhost:5000/name/app:latest,push=true
- builder-id=foo attr: mode=max
- false - target: image
- true output: type=image,name=localhost:5000/name/app:latest,push=true
attr: ''
- target: binary
output: /tmp/buildx-build
attr: mode=max
- target: binary
output: /tmp/buildx-build
attr: ''
services:
registry:
image: registry:2
ports:
- 5000:5000
steps: steps:
- -
name: Checkout name: Checkout
@ -622,11 +634,24 @@ jobs:
with: with:
context: ./test/go context: ./test/go
file: ./test/go/Dockerfile file: ./test/go/Dockerfile
target: binary target: ${{ matrix.target }}
outputs: type=oci,dest=/tmp/build.tar outputs: ${{ matrix.output }}
provenance: ${{ matrix.attrs }} provenance: ${{ matrix.attr }}
cache-from: type=gha,scope=provenance -
cache-to: type=gha,scope=provenance,mode=max name: Inspect Provenance
if: matrix.target == 'image'
run: |
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
-
name: Check output folder
if: matrix.target == 'binary'
run: |
tree /tmp/buildx-build
-
name: Print local Provenance
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/provenance.json | jq
sbom: sbom:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -667,22 +692,17 @@ jobs:
cache-from: type=gha,scope=attests-${{ matrix.target }} cache-from: type=gha,scope=attests-${{ matrix.target }}
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
- -
name: Inspect image name: Inspect SBOM
if: matrix.target == 'image' if: matrix.target == 'image'
run: | run: |
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}' docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .SBOM}}'
- -
name: Check output folder name: Check output folder
if: matrix.target == 'binary' if: matrix.target == 'binary'
run: | run: |
tree /tmp/buildx-build tree /tmp/buildx-build
- -
name: Print provenance name: Print local SBOM
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/provenance.json | jq
-
name: Print SBOM
if: matrix.target == 'binary' if: matrix.target == 'binary'
run: | run: |
cat /tmp/buildx-build/sbom.spdx.json | jq cat /tmp/buildx-build/sbom.spdx.json | jq