generate-sbom.yml

name: Generate-SBOM
on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag that needs to generate sbom"
        required: true
jobs:
  generate-sbom:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v4
    - name: Install Syft
      run: |
        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
    - name: Install Cosign
      uses: sigstore/cosign-installer@v3.5.0
    - name: Generate Key
      run: |
        cosign generate-key-pair
      env:
        COSIGN_PASSWORD: ""
    - name: Generate SBOM
      run: |
        mkdir sbom
        LONGHORN_IMAGES_FILE=deploy/longhorn-images.txt
        while read -r IMAGE; do
          IMAGE_NAME="${IMAGE#*/}"
          FILE_PREFIX="${IMAGE_NAME//:/-}"
          syft -q "${IMAGE}" -o json --platform=linux/amd64 > "sbom/${FILE_PREFIX}-amd64.sbom"
          if [[ "${IMAGE}" != *"openshift-origin-oauth-proxy"* ]]; then
            syft -q "${IMAGE}" -o json --platform=linux/arm64 > "sbom/${FILE_PREFIX}-arm64.sbom"
          fi
        done < "${LONGHORN_IMAGES_FILE}"
    - name: Sign SBOM
      run: |
        for SBOM_FILE in "sbom"/*; do
          SIG_FILE_NAME="${SBOM_FILE%.*}.sig"
          cosign sign-blob -y "${SBOM_FILE}" --key cosign.key --output-signature "${SIG_FILE_NAME}"
        done
    - name: Verify SBOM
      run: |
        for SBOM_FILE in "sbom"/*.sbom; do
          SIG_FILE_NAME="${SBOM_FILE%.*}.sig"
          cosign verify-blob --key cosign.pub --signature "$(cat "${SIG_FILE_NAME}")" "${SBOM_FILE}"
        done
    - name: Ship Public Key
      run: |
        cp cosign.pub sbom/cosign.pub
    - name: Tar Assets
      run: |
        tar zcvf sbom.tar.gz sbom
    - name: Upload Release Assets
      uses: AButler/upload-release-assets@v3.0
      with:
        files: sbom.tar.gz
        repo-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
        release-tag: ${{ inputs.tag || '' }}