feat: support sbom generation when releasing

.github/workflows/release-preview.yml

@@ -30,11 +30,14 @@ jobs:
       run: |
         gh auth setup-git
 
+    - uses: anchore/sbom-action/download-syft
+
     - run: |
         git config --global user.email "[email protected]"
         git config --global user.name "David Ko"
 
     - uses: actions/checkout@v4
+
     - uses: actions/checkout@v4
       with:
         repository: innobead/renote
@@ -190,5 +193,6 @@ jobs:
           --artifacts ./charts.tar.gz \
           --artifacts ./changelog.md \
           --artifacts ./changelog-prev-tag.md \
+          --artifacts ./longhorn-images-sbom.tar.gz \
           --pre-release \
           --draft

.github/workflows/release-sprint.yml

@@ -31,11 +31,14 @@ jobs:
       run: |
         gh auth setup-git
 
+    - uses: anchore/sbom-action/download-syft
+
     - run: |
         git config --global user.email "[email protected]"
         git config --global user.name "David Ko"
 
     - uses: actions/checkout@v4
+
     - uses: actions/checkout@v4
       with:
         repository: innobead/renote
@@ -145,5 +148,6 @@ jobs:
           --artifacts ./longhorn.yaml \
           --artifacts ./longhorn-images.txt \
           --artifacts ./charts.tar.gz \
+          --artifacts ./longhorn-images-sbom.tar.gz \
           --pre-release \
           --draft

.github/workflows/release.yml

@@ -30,11 +30,14 @@ jobs:
       run: |
         gh auth setup-git
 
+    - uses: anchore/sbom-action/download-syft
+
     - run: |
         git config --global user.email "[email protected]"
         git config --global user.name "David Ko"
 
     - uses: actions/checkout@v4
+
     - uses: actions/checkout@v4
       with:
         repository: innobead/renote
@@ -168,5 +171,6 @@ jobs:
           --artifacts ./longhorn-images.txt \
           --artifacts ./charts.tar.gz \
           --artifacts ./changelog.md \
+          --artifacts ./longhorn-images-sbom.tar.gz \
           --pre-release \
           --draft

.gitignore

@@ -1,3 +1,4 @@
 .idea
 
 first-commit.sh
+**/*sbom*

scripts/check-images-ready.sh

@@ -6,23 +6,42 @@ set -o xtrace
 images=("$@")
 found_images=()
 
-for i in {1..20}; do
-  for img in "${images[@]}"; do
-    for fimg in "${found_images[@]}"; do
-      [ "$fimg" == "$img" ] && continue 2
+function check_images_ready() {
+  for i in {1..20}; do
+    for img in "${images[@]}"; do
+      for fimg in "${found_images[@]}"; do
+        [ "$fimg" == "$img" ] && continue 2
+      done
+
+      echo "Inspecting (${i} time): ${img}"
+      if ! skopeo inspect docker://"${img}" &>/dev/null; then
+        sleep 5m
+        continue 2
+      fi
+
+      found_images+=("$img")
     done
+  done
 
-    echo "Inspecting (${i} time): ${img}"
-    if ! skopeo inspect docker://"${img}" &>/dev/null; then
-      sleep 5m
-      continue 2
-    fi
+  if [ ${#images[@]} -ne ${#found_images[@]} ]; then
+    printf "Some images not found:\n Expected: %s\n Found: %s\n" "${images[*]}" "${found_images[*]}" >/dev/stderr
+    exit 1
+  fi
+}
 
-    found_images+=("$img")
+function generate_sbom_for_images() {
+  for img in "${images[@]}"; do
+    echo "Generating ${img} SBOM and checksum"
+
+    sbom_name="${img##*/}".sbom
+
+    syft "$img" -o spdx-json >"$sbom_name"
+    sha256sum "$sbom_name" >"$sbom_name".sha256
   done
-done
 
-if [ ${#images[@]} -ne ${#found_images[@]}  ]; then
-  printf "Some images not found:\n Expected: %s\n Found: %s\n" "${images[*]}" "${found_images[*]}" > /dev/stderr
-  exit 1
-fi
+  find . \( -name "*.sbom" -o -name "*.sbom.sha256" \) -print0 | tar --null -zcvf "longhorn-images-sbom.tar.gz" --files-from -
+  tar -tvf longhorn-images-sbom.tar.gz
+}
+
+check_images_ready
+generate_sbom_for_images

scripts/update-repo-version-file.sh

@@ -34,7 +34,7 @@ for repo in "${repos[@]}"; do
   gh repo clone "${repo}"
 
   pushd "${repo##*/}"
-  echo ${version} > version
+  echo ${version} >version
   git add version
   git commit -s -m "chore(version): update version file to ${version}"
   git push -u origin HEAD