From fe3e3bd9b65b4bc4fa3fd05a42e27f7f507c523e Mon Sep 17 00:00:00 2001
From: Thomas van Erven <thomas.erven@gmail.com>
Date: Mon, 21 Jul 2025 11:02:35 +0300
Subject: [PATCH 1/4] Shenanigans.

---
 .github/workflows/docker-image.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index eb08b34..87d8ea9 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -2,7 +2,7 @@ name: Build and Deploy to RKE2
 
 on:
   push:
-    branches: [ "master" ]
+    branches: [ "master", 'fix/sbom' ]
 
 jobs:
   build:
@@ -20,9 +20,9 @@ jobs:
     - name: Create Python SBOM
       run: |
         python -m pip install --upgrade pip
-        pip install cyclonedx-bom
+        sudo npm install -g @cyclonedx/cdxgen
         pip install -r requirements.txt
-        cyclonedx-bom -r requirements.txt -o sbom-python.xml
+        cdxgen -t python -o sbom.json .
 
     - name: Install cosign
       run: |
@@ -47,11 +47,11 @@ jobs:
     - name: Push SBOM to Harbor
       run: |
         oras push harbor.wizardtower.dev/museit/museit-docs/sbom:latest \
-          --manifest-config sbom-python.xml:application/xml \
-          sbom-python.xml:application/xml
+          --manifest-config sbom-python.json:application/json \
+          sbom-python.json:application/json
         oras push harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA \
-          --manifest-config sbom-python.xml:application/xml \
-          sbom-python.xml:application/xml
+          --manifest-config sbom-python.json:application/json \
+          sbom-python.json:application/json
 
     - name: Sign SBOM with Cosign
       env:

From c14e8a5eff08c6e30424dc4d683c68c4215b60c1 Mon Sep 17 00:00:00 2001
From: Thomas van Erven <thomas.erven@gmail.com>
Date: Mon, 21 Jul 2025 11:06:08 +0300
Subject: [PATCH 2/4] Lies of C.

---
 .github/workflows/docker-image.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 87d8ea9..3e174d2 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -32,10 +32,9 @@ jobs:
         sudo mv cosign /usr/local/bin/
 
     - name: Install oras
-      run: |
-        curl -sSfL https://github.com/oras-project/oras/releases/latest/download/oras_1.1.0_linux_amd64.tar.gz \
-          | tar -xz
-        sudo mv oras /usr/local/bin/
+      uses: oras-project/setup-oras@v1
+      with:
+        version: latest
 
     - name: Build and Push Docker image
       run: |

From ffc95421453ce34175ba93fb9fe3f204703f1df4 Mon Sep 17 00:00:00 2001
From: Thomas van Erven <thomas.erven@gmail.com>
Date: Mon, 21 Jul 2025 11:07:39 +0300
Subject: [PATCH 3/4] More lies.

---
 .github/workflows/docker-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 3e174d2..7a4b010 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -34,7 +34,7 @@ jobs:
     - name: Install oras
       uses: oras-project/setup-oras@v1
       with:
-        version: latest
+        version: 1.2.3
 
     - name: Build and Push Docker image
       run: |

From 6e0316c236441ec05e2b72b8673a2c07963cb7e6 Mon Sep 17 00:00:00 2001
From: Thomas van Erven <thomas.erven@gmail.com>
Date: Mon, 21 Jul 2025 11:18:42 +0300
Subject: [PATCH 4/4] Screw SBOM, all my homies use SBOM on Harbor.

---
 .github/workflows/docker-image.yml | 38 +++++++++---------------------
 1 file changed, 11 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 7a4b010..d3360d7 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -17,19 +17,8 @@ jobs:
         username: ${{ secrets.HARBOR_USERNAME }}
         password: ${{ secrets.HARBOR_PASSWORD }}
 
-    - name: Create Python SBOM
-      run: |
-        python -m pip install --upgrade pip
-        sudo npm install -g @cyclonedx/cdxgen
-        pip install -r requirements.txt
-        cdxgen -t python -o sbom.json .
-
-    - name: Install cosign
-      run: |
-        curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-          -o cosign
-        chmod +x cosign
-        sudo mv cosign /usr/local/bin/
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.9.2
 
     - name: Install oras
       uses: oras-project/setup-oras@v1
@@ -43,23 +32,18 @@ jobs:
         docker push harbor.wizardtower.dev/museit/museit-docs:latest
         docker push harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA
 
-    - name: Push SBOM to Harbor
-      run: |
-        oras push harbor.wizardtower.dev/museit/museit-docs/sbom:latest \
-          --manifest-config sbom-python.json:application/json \
-          sbom-python.json:application/json
-        oras push harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA \
-          --manifest-config sbom-python.json:application/json \
-          sbom-python.json:application/json
-
-    - name: Sign SBOM with Cosign
+    - name: Sign images with Cosign
       env:
-        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
       run: |
-        echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
         cosign sign \
-          --key cosign.key \
-          harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA
+          --yes \
+          --key env://COSIGN_PRIVATE_KEY \
+          harbor.wizardtower.dev/museit/museit-docs:latest
+        cosign sign \
+          --yes \
+          --key env://COSIGN_PRIVATE_KEY \
+          harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA
 
   deploy:
     runs-on: [ self-hosted, linux, rke2, wizardtower ]