From 433a60e1223994d79b56d4c23462a32a418fb101 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Sat, 18 Jan 2025 12:25:58 +0100 Subject: [PATCH] ci: fix provenance for binaries and generate sbom Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/ci.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86bebbed8..fe1a18774 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -91,10 +91,25 @@ jobs: with: source: . targets: release + provenance: mode=max + sbom: true set: | *.platform=${{ matrix.platform }} *.cache-from=type=gha,scope=binary-${{ env.PLATFORM_PAIR }} *.cache-to=type=gha,scope=binary-${{ env.PLATFORM_PAIR }},mode=max + - + name: Rename provenance and sbom + working-directory: ./bin/release + run: | + binname=$(find . -name 'docker-compose-*') + filename=$(basename "$binname" | sed -E 's/\.exe$//') + mv "provenance.json" "${filename}.provenance.json" + mv "sbom-binary.spdx.json" "${filename}.sbom.json" + find . -name 'sbom*.json' -exec rm {} \; + - + name: List artifacts + run: | + tree -nh ./bin/release - name: Upload artifacts uses: actions/upload-artifact@v4 @@ -283,7 +298,11 @@ jobs: find . -type f -print0 | sort -z | xargs -r0 shasum -a 256 -b | sed 's# \*\./# *#' > $RUNNER_TEMP/checksums.txt shasum -a 256 -U -c $RUNNER_TEMP/checksums.txt mv $RUNNER_TEMP/checksums.txt . - cat checksums.txt | while read sum file; do echo "$sum $file" > ${file#\*}.sha256; done + cat checksums.txt | while read sum file; do + if [[ "${file#\*}" == docker-compose-* && "${file#\*}" != *.provenance.json && "${file#\*}" != *.sbom.json ]]; then + echo "$sum $file" > ${file#\*}.sha256 + fi + done - name: License run: cp packaging/* ./bin/release/