Skip to content

Commit

Permalink
feat: support sbom generation when releasing
Browse files Browse the repository at this point in the history
ref: longhorn/longhorn#8821

Signed-off-by: davidko <[email protected]>
  • Loading branch information
innobead committed Aug 1, 2024
1 parent 7f76476 commit 874737e
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 16 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/release-preview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,14 @@ jobs:
run: |
gh auth setup-git
- uses: anchore/sbom-action/download-syft

- run: |
git config --global user.email "[email protected]"
git config --global user.name "David Ko"
- uses: actions/checkout@v4

- uses: actions/checkout@v4
with:
repository: innobead/renote
Expand Down Expand Up @@ -190,5 +193,6 @@ jobs:
--artifacts ./charts.tar.gz \
--artifacts ./changelog.md \
--artifacts ./changelog-prev-tag.md \
--artifacts ./longhorn-images-sbom.tar.gz \
--pre-release \
--draft
4 changes: 4 additions & 0 deletions .github/workflows/release-sprint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,14 @@ jobs:
run: |
gh auth setup-git
- uses: anchore/sbom-action/download-syft

- run: |
git config --global user.email "[email protected]"
git config --global user.name "David Ko"
- uses: actions/checkout@v4

- uses: actions/checkout@v4
with:
repository: innobead/renote
Expand Down Expand Up @@ -145,5 +148,6 @@ jobs:
--artifacts ./longhorn.yaml \
--artifacts ./longhorn-images.txt \
--artifacts ./charts.tar.gz \
--artifacts ./longhorn-images-sbom.tar.gz \
--pre-release \
--draft
4 changes: 4 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,14 @@ jobs:
run: |
gh auth setup-git
- uses: anchore/sbom-action/download-syft

- run: |
git config --global user.email "[email protected]"
git config --global user.name "David Ko"
- uses: actions/checkout@v4

- uses: actions/checkout@v4
with:
repository: innobead/renote
Expand Down Expand Up @@ -168,5 +171,6 @@ jobs:
--artifacts ./longhorn-images.txt \
--artifacts ./charts.tar.gz \
--artifacts ./changelog.md \
--artifacts ./longhorn-images-sbom.tar.gz \
--pre-release \
--draft
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
.idea

first-commit.sh
**/*sbom*
49 changes: 34 additions & 15 deletions scripts/check-images-ready.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,42 @@ set -o xtrace
images=("$@")
found_images=()

for i in {1..20}; do
for img in "${images[@]}"; do
for fimg in "${found_images[@]}"; do
[ "$fimg" == "$img" ] && continue 2
function check_images_ready() {
for i in {1..20}; do
for img in "${images[@]}"; do
for fimg in "${found_images[@]}"; do
[ "$fimg" == "$img" ] && continue 2
done

echo "Inspecting (${i} time): ${img}"
if ! skopeo inspect docker://"${img}" &>/dev/null; then
sleep 5m
continue 2
fi

found_images+=("$img")
done
done

echo "Inspecting (${i} time): ${img}"
if ! skopeo inspect docker://"${img}" &>/dev/null; then
sleep 5m
continue 2
fi
if [ ${#images[@]} -ne ${#found_images[@]} ]; then
printf "Some images not found:\n Expected: %s\n Found: %s\n" "${images[*]}" "${found_images[*]}" >/dev/stderr
exit 1
fi
}

found_images+=("$img")
function generate_sbom_for_images() {
for img in "${images[@]}"; do
echo "Generating ${img} SBOM and checksum"

sbom_name="${img##*/}".sbom

syft "$img" -o spdx-json >"$sbom_name"
sha256sum "$sbom_name" >"$sbom_name".sha256
done
done

if [ ${#images[@]} -ne ${#found_images[@]} ]; then
printf "Some images not found:\n Expected: %s\n Found: %s\n" "${images[*]}" "${found_images[*]}" > /dev/stderr
exit 1
fi
find . \( -name "*.sbom" -o -name "*.sbom.sha256" \) -print0 | tar --null -zcvf "longhorn-images-sbom.tar.gz" --files-from -
tar -tvf longhorn-images-sbom.tar.gz
}

check_images_ready
generate_sbom_for_images
2 changes: 1 addition & 1 deletion scripts/update-repo-version-file.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ for repo in "${repos[@]}"; do
gh repo clone "${repo}"

pushd "${repo##*/}"
echo ${version} > version
echo ${version} >version
git add version
git commit -s -m "chore(version): update version file to ${version}"
git push -u origin HEAD
Expand Down

0 comments on commit 874737e

Please sign in to comment.