Add SBOM attestations to installer/release images, remove Scout
All checks were successful
Build Talos CM5 Image / build (push) Successful in 7m0s
All checks were successful
Build Talos CM5 Image / build (push) Successful in 7m0s
Attach cosign+syft SBOM attestations to crane-pushed installer and release images to satisfy Docker Scout supply chain policy. Replace docker tag/push with crane copy for the release target. Remove the Scout CVE scan target and clean up release notes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan
parent
44aa3793ee
commit
ba3c42f561
@ -30,7 +30,7 @@ jobs:
|
||||
|
||||
- name: Install build dependencies
|
||||
run: |
|
||||
for pkg in make gnu-sed crane; do
|
||||
for pkg in make gnu-sed crane cosign syft; do
|
||||
brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
|
||||
done
|
||||
gmake --version | head -1
|
||||
@ -63,11 +63,15 @@ jobs:
|
||||
- name: Build installer and disk image
|
||||
run: gmake installer
|
||||
|
||||
- name: Tag release images
|
||||
run: gmake release TAG=${{ steps.version.outputs.tag }}
|
||||
- name: Attest installer image
|
||||
env:
|
||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||
run: gmake attest COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}")
|
||||
|
||||
- name: Run Docker Scout CVE scan
|
||||
run: gmake scout
|
||||
- name: Tag release images
|
||||
env:
|
||||
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||
run: gmake release TAG=${{ steps.version.outputs.tag }} COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}")
|
||||
|
||||
- name: Compress disk image
|
||||
run: |
|
||||
@ -91,11 +95,6 @@ jobs:
|
||||
REPO="${GITHUB_REPOSITORY}"
|
||||
API="${GITEA_URL}/api/v1"
|
||||
|
||||
SCOUT_SECTION=""
|
||||
if [ -f _out/scout-report.md ]; then
|
||||
SCOUT_SECTION=$(cat _out/scout-report.md)
|
||||
fi
|
||||
|
||||
# Extract component versions from tag (format: v1.12.3-k6.12.47-1)
|
||||
TALOS_VER=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
|
||||
KERNEL_VER=$(echo "$TAG" | sed -E 's/.*-k([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
|
||||
@ -109,10 +108,7 @@ jobs:
|
||||
|
||||
## Artifacts
|
||||
- \`metal-arm64.raw.zst\` — Raw disk image for eMMC flashing
|
||||
- \`docker.io/svrnty/talos-rpi5:${TAG}\` — Installer image for talosctl upgrade
|
||||
|
||||
## Security Scan
|
||||
${SCOUT_SECTION}"
|
||||
- \`docker.io/svrnty/talos-rpi5:${TAG}\` — Installer image for talosctl upgrade"
|
||||
|
||||
# Strip leading whitespace from heredoc-style indentation
|
||||
RELEASE_BODY=$(echo "$RELEASE_BODY" | sed 's/^ //')
|
||||
|
||||
57
Makefile
57
Makefile
@ -74,7 +74,7 @@ help:
|
||||
@echo " overlay — Build SBC overlay (U-Boot, firmware, DTBs)"
|
||||
@echo " installer — Build Talos installer image + raw disk image"
|
||||
@echo " release — Tag and push release images"
|
||||
@echo " scout — Run Docker Scout CVE scan on all images"
|
||||
@echo " attest — Attach SBOM attestation to installer image"
|
||||
@echo " clean — Remove checkouts and build artifacts"
|
||||
@echo ""
|
||||
@echo "Variables:"
|
||||
@ -188,45 +188,32 @@ installer:
|
||||
--base-installer-image="$(INSTALLER_IMAGE):$(TALOS_TAG)" \
|
||||
$(IMAGER_COMMON_FLAGS)
|
||||
|
||||
#
|
||||
# Attestation — attach SBOM to crane-pushed images
|
||||
#
|
||||
COSIGN_KEY ?= cosign.key
|
||||
|
||||
.PHONY: attest
|
||||
attest:
|
||||
syft $(INSTALLER_IMAGE):$(TALOS_TAG) \
|
||||
--platform linux/arm64 \
|
||||
-o spdx-json=_out/installer-sbom.spdx.json
|
||||
cosign attest --predicate _out/installer-sbom.spdx.json \
|
||||
--type spdxjson \
|
||||
--key $(COSIGN_KEY) \
|
||||
$(INSTALLER_IMAGE):$(TALOS_TAG)
|
||||
|
||||
#
|
||||
# Release — tag images with the Git tag for stable references
|
||||
#
|
||||
.PHONY: release
|
||||
release:
|
||||
docker pull $(INSTALLER_IMAGE):$(TALOS_TAG) && \
|
||||
docker tag $(INSTALLER_IMAGE):$(TALOS_TAG) $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) && \
|
||||
docker push $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
|
||||
|
||||
#
|
||||
# Scout — Docker Scout CVE scan on all pushed images
|
||||
#
|
||||
SCOUT_REPORT := _out/scout-report.md
|
||||
SCOUT_IMAGES := \
|
||||
$(KERNEL_IMAGE):$(PKGS_TAG) \
|
||||
$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) \
|
||||
$(IMAGER_IMAGE):$(TALOS_TAG) \
|
||||
$(INSTALLER_IMAGE):base-$(TALOS_TAG) \
|
||||
$(INSTALLER_IMAGE):$(TALOS_TAG)
|
||||
|
||||
.PHONY: scout
|
||||
scout:
|
||||
@mkdir -p _out
|
||||
@if ! docker scout version >/dev/null 2>&1; then \
|
||||
echo "Docker Scout not available -- skipping CVE scan." > $(SCOUT_REPORT); \
|
||||
exit 0; \
|
||||
fi
|
||||
@echo "# Docker Scout CVE Summary" > $(SCOUT_REPORT)
|
||||
@echo "" >> $(SCOUT_REPORT)
|
||||
@for image in $(SCOUT_IMAGES); do \
|
||||
echo "Scanning $$image ..."; \
|
||||
echo "### $${image##*/}" >> $(SCOUT_REPORT); \
|
||||
echo '```' >> $(SCOUT_REPORT); \
|
||||
docker scout quickview "$$image" --platform linux/arm64 2>&1 >> $(SCOUT_REPORT) || \
|
||||
echo "Scout scan failed for $$image" >> $(SCOUT_REPORT); \
|
||||
echo '```' >> $(SCOUT_REPORT); \
|
||||
echo "" >> $(SCOUT_REPORT); \
|
||||
done
|
||||
@echo "Scout report written to $(SCOUT_REPORT)"
|
||||
crane copy $(INSTALLER_IMAGE):$(TALOS_TAG) \
|
||||
$(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
|
||||
cosign attest --predicate _out/installer-sbom.spdx.json \
|
||||
--type spdxjson \
|
||||
--key $(COSIGN_KEY) \
|
||||
$(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
|
||||
|
||||
#
|
||||
# Clean
|
||||
|
||||
4
cosign.pub
Normal file
4
cosign.pub
Normal file
@ -0,0 +1,4 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPkZxXgi280kakXdVwjygCvIs5chd
|
||||
Ns/gANqNilq0OZDkmcAzeaKJRkRbiDjqNeW1JLv1CYwN/1olypEdVyjLoQ==
|
||||
-----END PUBLIC KEY-----
|
||||
Loading…
Reference in New Issue
Block a user