Merge pull request #334 from crazy-max/sbom-provenance

ci: generate sbom and provenance

.github/workflows/build.yml

@@ -90,11 +90,26 @@ jobs:
         uses: docker/bake-action@v4
         with:
           targets: artifact
+          provenance: mode=max
+          sbom: true
           pull: true
           set: |
             *.platform=${{ matrix.platform }}
             *.cache-from=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }}
             *.cache-to=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }},mode=max
+      -
+        name: Rename provenance and sbom
+        working-directory: ${{ env.DESTDIR }}/artifact
+        run: |
+          binname=$(find . -name 'swarm-cronjob_*')
+          filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
+          mv "provenance.json" "${filename}.provenance.json"
+          mv "sbom-binary.spdx.json" "${filename}.sbom.json"
+          find . -name 'sbom*.json' -exec rm {} \;
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
       -
         name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -126,6 +141,7 @@ jobs:
         uses: docker/bake-action@v4
         with:
           targets: release
+          provenance: false
       -
         name: GitHub Release
         uses: softprops/action-gh-release@v1
@@ -205,6 +221,8 @@ jobs:
             ./docker-bake.hcl
             ${{ steps.meta.outputs.bake-file }}
           targets: image-all
+          provenance: mode=max
+          sbom: true
           pull: true
           push: ${{ github.event_name != 'pull_request' }}
           set: |

Dockerfile

@@ -48,6 +48,8 @@ COPY --link --from=build /usr/bin/swarm-cronjob /swarm-cronjob.exe
 FROM binary-unix AS binary-darwin
 FROM binary-unix AS binary-linux
 FROM binary-$TARGETOS AS binary
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS build-artifact
 RUN apk add --no-cache bash tar zip