Skip to content

Fix/SBOM #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tvanerven merged 4 commits into from
Jul 21, 2025
Merged

Fix/SBOM #5

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fe3e3bd
Shenanigans.
tvanerven Jul 21, 2025
c14e8a5
Lies of C.
tvanerven Jul 21, 2025
ffc9542
More lies.
tvanerven Jul 21, 2025
6e0316c
Screw SBOM, all my homies use SBOM on Harbor.
tvanerven Jul 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 15 additions & 32 deletions .github/workflows/docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Build and Deploy to RKE2

on:
push:
branches: [ "master" ]
branches: [ "master", 'fix/sbom' ]

jobs:
build:
Expand All @@ -17,25 +17,13 @@ jobs:
username: ${{ secrets.HARBOR_USERNAME }}
password: ${{ secrets.HARBOR_PASSWORD }}

- name: Create Python SBOM
run: |
python -m pip install --upgrade pip
pip install cyclonedx-bom
pip install -r requirements.txt
cyclonedx-bom -r requirements.txt -o sbom-python.xml

- name: Install cosign
run: |
curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-o cosign
chmod +x cosign
sudo mv cosign /usr/local/bin/
- name: Install Cosign
uses: sigstore/cosign-installer@v3.9.2

- name: Install oras
run: |
curl -sSfL https://github.com/oras-project/oras/releases/latest/download/oras_1.1.0_linux_amd64.tar.gz \
| tar -xz
sudo mv oras /usr/local/bin/
uses: oras-project/setup-oras@v1
with:
version: 1.2.3

- name: Build and Push Docker image
run: |
Expand All @@ -44,23 +32,18 @@ jobs:
docker push harbor.wizardtower.dev/museit/museit-docs:latest
docker push harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA

- name: Push SBOM to Harbor
run: |
oras push harbor.wizardtower.dev/museit/museit-docs/sbom:latest \
--manifest-config sbom-python.xml:application/xml \
sbom-python.xml:application/xml
oras push harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA \
--manifest-config sbom-python.xml:application/xml \
sbom-python.xml:application/xml

- name: Sign SBOM with Cosign
- name: Sign images with Cosign
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
run: |
echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
cosign sign \
--key cosign.key \
harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA
--yes \
--key env://COSIGN_PRIVATE_KEY \
harbor.wizardtower.dev/museit/museit-docs:latest
cosign sign \
--yes \
--key env://COSIGN_PRIVATE_KEY \
harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA

deploy:
runs-on: [ self-hosted, linux, rke2, wizardtower ]
Expand Down