Skip to content

build: generate SPDX SBOMs for release artifacts via syft#92

Merged
ben-miru merged 1 commit into
mainfrom
claude/agent-sbom-publishing-8jy7hm
Jun 29, 2026
Merged

build: generate SPDX SBOMs for release artifacts via syft#92
ben-miru merged 1 commit into
mainfrom
claude/agent-sbom-publishing-8jy7hm

Conversation

@miru-agents

@miru-agents miru-agents commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds SBOM (Software Bill of Materials) generation to the agent release pipeline using GoReleaser's native syft integration, mirroring the change already shipped in cli-private (#93). For every release, SPDX-JSON SBOMs are produced for the build artifacts and uploaded to the GitHub release automatically.

This gives supply-chain transparency: downstream consumers and security tooling can enumerate dependencies for vulnerability response, license auditing, and provenance verification. It aligns the agent with the same supply-chain posture as the CLI and with regulatory expectations (US EO 14028, EU Cyber Resilience Act).

Changes

  • build/.goreleaser.yaml: added an sboms: stanza (GoReleaser Pro) generating SPDX-JSON SBOMs — one entry for artifacts: archive (the tar.gz archives) and one for artifacts: package (the .deb). Relies on GoReleaser's syft + SPDX-JSON defaults; SBOM files ({{ .ArtifactName }}.sbom.json) are uploaded with the release automatically through the existing release: stanza.
  • build/Dockerfile.builder: added a checksum-verified syft install (anchore/syft, pinned ARG SYFT_VERSION=1.46.0), styled identically to the existing GoReleaser install — download the release tarball plus syft_<ver>_checksums.txt, verify with sha256sum -c -, extract to /usr/local/bin, and smoke-test with syft version.
  • build/Dockerfile: comment-only note that the builder image tag pin must be re-pinned once .github/workflows/builder.yml republishes the builder image with syft. The existing a32d4c0 pin is left as-is.

⚠️ Required follow-up / merge sequencing

SBOM generation depends on syft being present in the builder image. This requires a specific sequence:

  1. Merge this PR (adds the syft install to Dockerfile.builder).
  2. Let .github/workflows/builder.yml republish ghcr.io/mirurobotics/agent-builder:<short-sha> so the published image actually contains syft.
  3. Bump the FROM ghcr.io/mirurobotics/agent-builder:<tag> pin in build/Dockerfile to the new short-SHA tag of that republished image.

Until that re-pin lands, any release/snapshot build will fail at the SBOM step with syft: command not found (the currently pinned builder image predates the syft install). Reviewers should confirm the builder-republish + re-pin sequence before relying on releases.

Validation done

  • The syft install block (asset names, checksum verification, extraction) was reproduced on a host: both release assets returned HTTP 200, sha256sum -c - printed syft_1.46.0_linux_amd64.tar.gz: OK, and syft version reported 1.46.0.
  • build/.goreleaser.yaml parses cleanly and the sboms: stanza deserializes to the two expected entries.
  • The Rust lint suite (clippy, cargo fmt, import-lint, cargo-machete, cargo-diet) is clean. cargo audit could not fetch the RustSec advisory DB in the sandbox (proxy returned HTTP 403) — environmental and unrelated to this change, which touches zero Rust code.
  • Not run in sandbox (no Docker / no GHCR access): the full Docker snapshot build and end-to-end SBOM emission. Deferred to CI post-merge, as the diff is strictly build-infra config.

Scope note

Strictly the agent repo's build/ pipeline. No Rust source, no workflow files, and no other repos change.

🤖 Generated with Claude Code


Generated by Claude Code


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@ben-miru ben-miru force-pushed the claude/agent-sbom-publishing-8jy7hm branch from 5a971e3 to 18df902 Compare June 29, 2026 17:06
Install syft (checksum-verified, pinned via SYFT_VERSION) in the builder
image and add an sboms: stanza to .goreleaser.yaml covering the tar.gz
archives and the .deb package. SBOMs are SPDX-JSON and upload to the
release automatically, mirroring the cli-private SBOM change.

The build/Dockerfile builder-image tag re-pin is a post-merge follow-up:
after builder.yml republishes the image with syft, bump the FROM tag.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012ttfWUipwm1fvHL2ZcZFzU
@ben-miru ben-miru force-pushed the claude/agent-sbom-publishing-8jy7hm branch from 18df902 to 9436b1e Compare June 29, 2026 17:06
@ben-miru ben-miru merged commit f947597 into main Jun 29, 2026
3 checks passed
@ben-miru ben-miru deleted the claude/agent-sbom-publishing-8jy7hm branch June 29, 2026 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants