Skip to content

feat: update CycloneDX SBOM action inputs and improve digest handling#579

Open
AlexFernandes-MOVAI wants to merge 2 commits into
v3from
feat/docker_sbom_cycloneDX
Open

feat: update CycloneDX SBOM action inputs and improve digest handling#579
AlexFernandes-MOVAI wants to merge 2 commits into
v3from
feat/docker_sbom_cycloneDX

Conversation

@AlexFernandes-MOVAI

Copy link
Copy Markdown
Contributor

This pull request updates the CycloneDX SBOM (Software Bill of Materials) generation and attachment process in the Docker workflow. The main focus is on improving the handling and validation of image digests, simplifying the image reference construction, and making the SBOM steps more robust and maintainable. Additionally, some workflow steps related to version bumping and release creation have been removed or refactored.

SBOM Generation and Image Digest Handling Improvements:

  • The digest input in .github/actions/attach-cyclonedx-sbom/action.yml is now required, and the logic for extracting and validating the digest has been improved to ensure it matches the expected format (sha256:...). This prevents accidental use of invalid or missing digests. [1] [2]
  • The action step name was updated from "Resolve image subject reference" to "Build exact image subject reference" to better reflect its purpose.
  • In the workflow (.github/workflows/docker-workflow.yml), SBOM generation now passes the image and digest separately, and image references are constructed more reliably using a new preparation step. [1] [2] [3]
  • Digest extraction and validation logic has been improved after pushing images, ensuring only valid digests are used for subsequent steps.

Workflow Refactoring and Cleanup:

  • Several steps related to version bumping, pushing to protected branches, and release creation have been removed or refactored, streamlining the workflow and focusing it on the essential build and SBOM tasks.

These changes make the SBOM attachment process more robust, reduce the risk of errors due to invalid digests, and simplify the workflow for easier maintenance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant