workflow: remove signing and BOM in CI build

Since the Image CI Build is the most sensitive of our workflows since it
runs in the context of pull_request_target, let's make it simple as
nobody currently properly maintains the signing and the BOM. I don't
think anybody expect the CI builds to be fully shipped with BOM and
signing anyway.

Signed-off-by: Mahe Tardy <[email protected]>

.github/workflows/build-images-ci.yml

@@ -15,11 +15,11 @@ on:
     paths-ignore:
       - 'docs/**'
 
+# Since this workflow can execute on pull_request_target, drop all the
+# permissions of the GITHUB_TOKEN except `contents: read` for access to the repo
+# with the actions/checkout action.
 permissions:
-  # To be able to access the repository with `actions/checkout`
   contents: read
-  # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication
-  id-token: write
 
 jobs:
   build-and-push-prs:
@@ -92,23 +92,12 @@ jobs:
           ref: ${{ steps.tag.outputs.tag }}
           fetch-depth: 0
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-
       - name: Install Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           # renovate: datasource=golang-version depName=go
           go-version: '1.23.2'
 
-      - name: Install Bom
-        shell: bash
-        env:
-          # renovate: datasource=github-releases depName=kubernetes-sigs/bom
-          BOM_VERSION: v0.6.0
-        run: |
-          go install sigs.k8s.io/bom/cmd/bom@${{ env.BOM_VERSION }}
-
       # main branch pushes
       - name: CI Build (main)
         if: ${{ github.event_name == 'push' }}
@@ -126,37 +115,6 @@ jobs:
             quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
             quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.name }}
 
-      - name: Sign Container Image
-        if: github.event_name == 'push'
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign -y quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }}
-
-      - name: Generate SBOM
-        if: github.event_name == 'push'
-        shell: bash
-        # To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479
-        run: |
-          bom generate -o sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
-          --dirs=. \
-          --image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
-
-      - name: Attach SBOM to container images
-        if: github.event_name == 'push'
-        run: |
-          cosign attach sbom --sbom sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }}
-
-      - name: Sign SBOM Image
-        if: github.event_name == 'push'
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          docker_build_ci_main_digest="${{ steps.docker_build_ci_main.outputs.digest }}"
-          image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_main_digest/:/-}.sbom"
-          docker_build_ci_main_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
-          cosign sign -y "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_main_sbom_digest}"
-
       - name: CI Image Releases digests (main)
         if: github.event_name == 'push'
         shell: bash
@@ -180,37 +138,6 @@ jobs:
           tags: |
             quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
 
-      - name: Sign Container Image
-        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          cosign sign -y quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
-
-      - name: Generate SBOM
-        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
-        shell: bash
-        # To-Do: Format SBOM output to JSON after a new version of cosign is released after v1.13.1. Ref: https://github.com/sigstore/cosign/pull/2479
-        run: |
-          bom generate --format json -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \
-          --dirs=. \
-          --image=quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}
-
-      - name: Attach SBOM to container images
-        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
-        run: |
-          cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }}
-
-      - name: Sign SBOM Image
-        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        run: |
-          docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}"
-          image_name="quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom"
-          docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)"
-          cosign sign -y "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}"
-
       - name: CI Image Releases digests (PR)
         if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
         shell: bash