build: generate SPDX SBOMs for release artifacts via syft#92
Merged
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
5a971e3 to
18df902
Compare
Install syft (checksum-verified, pinned via SYFT_VERSION) in the builder image and add an sboms: stanza to .goreleaser.yaml covering the tar.gz archives and the .deb package. SBOMs are SPDX-JSON and upload to the release automatically, mirroring the cli-private SBOM change. The build/Dockerfile builder-image tag re-pin is a post-merge follow-up: after builder.yml republishes the image with syft, bump the FROM tag. Co-Authored-By: Claude <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012ttfWUipwm1fvHL2ZcZFzU
18df902 to
9436b1e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds SBOM (Software Bill of Materials) generation to the agent release pipeline using GoReleaser's native
syftintegration, mirroring the change already shipped incli-private(#93). For every release, SPDX-JSON SBOMs are produced for the build artifacts and uploaded to the GitHub release automatically.This gives supply-chain transparency: downstream consumers and security tooling can enumerate dependencies for vulnerability response, license auditing, and provenance verification. It aligns the agent with the same supply-chain posture as the CLI and with regulatory expectations (US EO 14028, EU Cyber Resilience Act).
Changes
build/.goreleaser.yaml: added ansboms:stanza (GoReleaser Pro) generating SPDX-JSON SBOMs — one entry forartifacts: archive(the tar.gz archives) and one forartifacts: package(the.deb). Relies on GoReleaser's syft + SPDX-JSON defaults; SBOM files ({{ .ArtifactName }}.sbom.json) are uploaded with the release automatically through the existingrelease:stanza.build/Dockerfile.builder: added a checksum-verifiedsyftinstall (anchore/syft, pinnedARG SYFT_VERSION=1.46.0), styled identically to the existing GoReleaser install — download the release tarball plussyft_<ver>_checksums.txt, verify withsha256sum -c -, extract to/usr/local/bin, and smoke-test withsyft version.build/Dockerfile: comment-only note that the builder image tag pin must be re-pinned once.github/workflows/builder.ymlrepublishes the builder image with syft. The existinga32d4c0pin is left as-is.SBOM generation depends on
syftbeing present in the builder image. This requires a specific sequence:syftinstall toDockerfile.builder)..github/workflows/builder.ymlrepublishghcr.io/mirurobotics/agent-builder:<short-sha>so the published image actually containssyft.FROM ghcr.io/mirurobotics/agent-builder:<tag>pin inbuild/Dockerfileto the new short-SHA tag of that republished image.Until that re-pin lands, any release/snapshot build will fail at the SBOM step with
syft: command not found(the currently pinned builder image predates the syft install). Reviewers should confirm the builder-republish + re-pin sequence before relying on releases.Validation done
syftinstall block (asset names, checksum verification, extraction) was reproduced on a host: both release assets returned HTTP 200,sha256sum -c -printedsyft_1.46.0_linux_amd64.tar.gz: OK, andsyft versionreported1.46.0.build/.goreleaser.yamlparses cleanly and thesboms:stanza deserializes to the two expected entries.clippy,cargo fmt, import-lint,cargo-machete,cargo-diet) is clean.cargo auditcould not fetch the RustSec advisory DB in the sandbox (proxy returned HTTP 403) — environmental and unrelated to this change, which touches zero Rust code.Scope note
Strictly the
agentrepo'sbuild/pipeline. No Rust source, no workflow files, and no other repos change.🤖 Generated with Claude Code
Generated by Claude Code
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.