diff --git a/.github/workflows/release-preview.yml b/.github/workflows/release-preview.yml index ae83518..041b619 100644 --- a/.github/workflows/release-preview.yml +++ b/.github/workflows/release-preview.yml @@ -30,6 +30,8 @@ jobs: run: | gh auth setup-git + - uses: anchore/sbom-action/download-syft + - run: | git config --global user.email "dko@suse.com" git config --global user.name "David Ko" @@ -190,5 +192,6 @@ jobs: --artifacts ./charts.tar.gz \ --artifacts ./changelog.md \ --artifacts ./changelog-prev-tag.md \ + --artifacts ./longhorn-images-sbom.tar.gz \ --pre-release \ --draft diff --git a/.github/workflows/release-sprint.yml b/.github/workflows/release-sprint.yml index b6b61b7..ed7174a 100644 --- a/.github/workflows/release-sprint.yml +++ b/.github/workflows/release-sprint.yml @@ -31,6 +31,8 @@ jobs: run: | gh auth setup-git + - uses: anchore/sbom-action/download-syft + - run: | git config --global user.email "dko@suse.com" git config --global user.name "David Ko" @@ -145,5 +147,6 @@ jobs: --artifacts ./longhorn.yaml \ --artifacts ./longhorn-images.txt \ --artifacts ./charts.tar.gz \ + --artifacts ./longhorn-images-sbom.tar.gz \ --pre-release \ --draft diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3ca2853..3b901c2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,6 +30,8 @@ jobs: run: | gh auth setup-git + - uses: anchore/sbom-action/download-syft + - run: | git config --global user.email "dko@suse.com" git config --global user.name "David Ko" @@ -168,5 +170,6 @@ jobs: --artifacts ./longhorn-images.txt \ --artifacts ./charts.tar.gz \ --artifacts ./changelog.md \ + --artifacts ./longhorn-images-sbom.tar.gz \ --pre-release \ --draft diff --git a/.gitignore b/.gitignore index 47f2950..dbd7e91 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .idea first-commit.sh +**/*sbom* diff --git a/scripts/check-images-ready.sh b/scripts/check-images-ready.sh index 6ad51a6..1596eac 100755 --- a/scripts/check-images-ready.sh +++ b/scripts/check-images-ready.sh @@ -6,23 +6,42 @@ set -o xtrace images=("$@") found_images=() -for i in {1..20}; do - for img in "${images[@]}"; do - for fimg in "${found_images[@]}"; do - [ "$fimg" == "$img" ] && continue 2 +function check_images_ready() { + for i in {1..20}; do + for img in "${images[@]}"; do + for fimg in "${found_images[@]}"; do + [ "$fimg" == "$img" ] && continue 2 + done + + echo "Inspecting (${i} time): ${img}" + if ! skopeo inspect docker://"${img}" &>/dev/null; then + sleep 5m + continue 2 + fi + + found_images+=("$img") done + done - echo "Inspecting (${i} time): ${img}" - if ! skopeo inspect docker://"${img}" &>/dev/null; then - sleep 5m - continue 2 - fi + if [ ${#images[@]} -ne ${#found_images[@]} ]; then + printf "Some images not found:\n Expected: %s\n Found: %s\n" "${images[*]}" "${found_images[*]}" >/dev/stderr + exit 1 + fi +} - found_images+=("$img") +function generate_sbom_for_images() { + for img in "${images[@]}"; do + echo "Generating ${img} SBOM and checksum" + + sbom_name="${img##*/}".sbom + + syft "$img" -o spdx-json >"$sbom_name" + sha256sum "$sbom_name" >"$sbom_name".sha256 done -done -if [ ${#images[@]} -ne ${#found_images[@]} ]; then - printf "Some images not found:\n Expected: %s\n Found: %s\n" "${images[*]}" "${found_images[*]}" > /dev/stderr - exit 1 -fi + find . \( -name "*.sbom" -o -name "*.sbom.sha256" \) -print0 | tar --null -zcvf "longhorn-images-sbom.tar.gz" --files-from - + tar -tvf longhorn-images-sbom.tar.gz +} + +check_images_ready +generate_sbom_for_images diff --git a/scripts/update-repo-version-file.sh b/scripts/update-repo-version-file.sh index 60b6e74..05ee2c0 100755 --- a/scripts/update-repo-version-file.sh +++ b/scripts/update-repo-version-file.sh @@ -34,7 +34,7 @@ for repo in "${repos[@]}"; do gh repo clone "${repo}" pushd "${repo##*/}" - echo ${version} > version + echo ${version} >version git add version git commit -s -m "chore(version): update version file to ${version}" git push -u origin HEAD