Add SBOM attestations to installer/release images, remove Scout
All checks were successful
Build Talos CM5 Image / build (push) Successful in 7m0s
All checks were successful
Build Talos CM5 Image / build (push) Successful in 7m0s
Attach cosign+syft SBOM attestations to crane-pushed installer and release images to satisfy Docker Scout supply chain policy. Replace docker tag/push with crane copy for the release target. Remove the Scout CVE scan target and clean up release notes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan
parent
44aa3793ee
commit
ba3c42f561
@ -30,7 +30,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Install build dependencies
|
- name: Install build dependencies
|
||||||
run: |
|
run: |
|
||||||
for pkg in make gnu-sed crane; do
|
for pkg in make gnu-sed crane cosign syft; do
|
||||||
brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
|
brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
|
||||||
done
|
done
|
||||||
gmake --version | head -1
|
gmake --version | head -1
|
||||||
@ -63,11 +63,15 @@ jobs:
|
|||||||
- name: Build installer and disk image
|
- name: Build installer and disk image
|
||||||
run: gmake installer
|
run: gmake installer
|
||||||
|
|
||||||
- name: Tag release images
|
- name: Attest installer image
|
||||||
run: gmake release TAG=${{ steps.version.outputs.tag }}
|
env:
|
||||||
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||||
|
run: gmake attest COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}")
|
||||||
|
|
||||||
- name: Run Docker Scout CVE scan
|
- name: Tag release images
|
||||||
run: gmake scout
|
env:
|
||||||
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
||||||
|
run: gmake release TAG=${{ steps.version.outputs.tag }} COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}")
|
||||||
|
|
||||||
- name: Compress disk image
|
- name: Compress disk image
|
||||||
run: |
|
run: |
|
||||||
@ -91,11 +95,6 @@ jobs:
|
|||||||
REPO="${GITHUB_REPOSITORY}"
|
REPO="${GITHUB_REPOSITORY}"
|
||||||
API="${GITEA_URL}/api/v1"
|
API="${GITEA_URL}/api/v1"
|
||||||
|
|
||||||
SCOUT_SECTION=""
|
|
||||||
if [ -f _out/scout-report.md ]; then
|
|
||||||
SCOUT_SECTION=$(cat _out/scout-report.md)
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Extract component versions from tag (format: v1.12.3-k6.12.47-1)
|
# Extract component versions from tag (format: v1.12.3-k6.12.47-1)
|
||||||
TALOS_VER=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
|
TALOS_VER=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
|
||||||
KERNEL_VER=$(echo "$TAG" | sed -E 's/.*-k([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
|
KERNEL_VER=$(echo "$TAG" | sed -E 's/.*-k([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
|
||||||
@ -109,10 +108,7 @@ jobs:
|
|||||||
|
|
||||||
## Artifacts
|
## Artifacts
|
||||||
- \`metal-arm64.raw.zst\` — Raw disk image for eMMC flashing
|
- \`metal-arm64.raw.zst\` — Raw disk image for eMMC flashing
|
||||||
- \`docker.io/svrnty/talos-rpi5:${TAG}\` — Installer image for talosctl upgrade
|
- \`docker.io/svrnty/talos-rpi5:${TAG}\` — Installer image for talosctl upgrade"
|
||||||
|
|
||||||
## Security Scan
|
|
||||||
${SCOUT_SECTION}"
|
|
||||||
|
|
||||||
# Strip leading whitespace from heredoc-style indentation
|
# Strip leading whitespace from heredoc-style indentation
|
||||||
RELEASE_BODY=$(echo "$RELEASE_BODY" | sed 's/^ //')
|
RELEASE_BODY=$(echo "$RELEASE_BODY" | sed 's/^ //')
|
||||||
|
|||||||
57
Makefile
57
Makefile
@ -74,7 +74,7 @@ help:
|
|||||||
@echo " overlay — Build SBC overlay (U-Boot, firmware, DTBs)"
|
@echo " overlay — Build SBC overlay (U-Boot, firmware, DTBs)"
|
||||||
@echo " installer — Build Talos installer image + raw disk image"
|
@echo " installer — Build Talos installer image + raw disk image"
|
||||||
@echo " release — Tag and push release images"
|
@echo " release — Tag and push release images"
|
||||||
@echo " scout — Run Docker Scout CVE scan on all images"
|
@echo " attest — Attach SBOM attestation to installer image"
|
||||||
@echo " clean — Remove checkouts and build artifacts"
|
@echo " clean — Remove checkouts and build artifacts"
|
||||||
@echo ""
|
@echo ""
|
||||||
@echo "Variables:"
|
@echo "Variables:"
|
||||||
@ -188,45 +188,32 @@ installer:
|
|||||||
--base-installer-image="$(INSTALLER_IMAGE):$(TALOS_TAG)" \
|
--base-installer-image="$(INSTALLER_IMAGE):$(TALOS_TAG)" \
|
||||||
$(IMAGER_COMMON_FLAGS)
|
$(IMAGER_COMMON_FLAGS)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Attestation — attach SBOM to crane-pushed images
|
||||||
|
#
|
||||||
|
COSIGN_KEY ?= cosign.key
|
||||||
|
|
||||||
|
.PHONY: attest
|
||||||
|
attest:
|
||||||
|
syft $(INSTALLER_IMAGE):$(TALOS_TAG) \
|
||||||
|
--platform linux/arm64 \
|
||||||
|
-o spdx-json=_out/installer-sbom.spdx.json
|
||||||
|
cosign attest --predicate _out/installer-sbom.spdx.json \
|
||||||
|
--type spdxjson \
|
||||||
|
--key $(COSIGN_KEY) \
|
||||||
|
$(INSTALLER_IMAGE):$(TALOS_TAG)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Release — tag images with the Git tag for stable references
|
# Release — tag images with the Git tag for stable references
|
||||||
#
|
#
|
||||||
.PHONY: release
|
.PHONY: release
|
||||||
release:
|
release:
|
||||||
docker pull $(INSTALLER_IMAGE):$(TALOS_TAG) && \
|
crane copy $(INSTALLER_IMAGE):$(TALOS_TAG) \
|
||||||
docker tag $(INSTALLER_IMAGE):$(TALOS_TAG) $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) && \
|
$(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
|
||||||
docker push $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
|
cosign attest --predicate _out/installer-sbom.spdx.json \
|
||||||
|
--type spdxjson \
|
||||||
#
|
--key $(COSIGN_KEY) \
|
||||||
# Scout — Docker Scout CVE scan on all pushed images
|
$(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
|
||||||
#
|
|
||||||
SCOUT_REPORT := _out/scout-report.md
|
|
||||||
SCOUT_IMAGES := \
|
|
||||||
$(KERNEL_IMAGE):$(PKGS_TAG) \
|
|
||||||
$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) \
|
|
||||||
$(IMAGER_IMAGE):$(TALOS_TAG) \
|
|
||||||
$(INSTALLER_IMAGE):base-$(TALOS_TAG) \
|
|
||||||
$(INSTALLER_IMAGE):$(TALOS_TAG)
|
|
||||||
|
|
||||||
.PHONY: scout
|
|
||||||
scout:
|
|
||||||
@mkdir -p _out
|
|
||||||
@if ! docker scout version >/dev/null 2>&1; then \
|
|
||||||
echo "Docker Scout not available -- skipping CVE scan." > $(SCOUT_REPORT); \
|
|
||||||
exit 0; \
|
|
||||||
fi
|
|
||||||
@echo "# Docker Scout CVE Summary" > $(SCOUT_REPORT)
|
|
||||||
@echo "" >> $(SCOUT_REPORT)
|
|
||||||
@for image in $(SCOUT_IMAGES); do \
|
|
||||||
echo "Scanning $$image ..."; \
|
|
||||||
echo "### $${image##*/}" >> $(SCOUT_REPORT); \
|
|
||||||
echo '```' >> $(SCOUT_REPORT); \
|
|
||||||
docker scout quickview "$$image" --platform linux/arm64 2>&1 >> $(SCOUT_REPORT) || \
|
|
||||||
echo "Scout scan failed for $$image" >> $(SCOUT_REPORT); \
|
|
||||||
echo '```' >> $(SCOUT_REPORT); \
|
|
||||||
echo "" >> $(SCOUT_REPORT); \
|
|
||||||
done
|
|
||||||
@echo "Scout report written to $(SCOUT_REPORT)"
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Clean
|
# Clean
|
||||||
|
|||||||
4
cosign.pub
Normal file
4
cosign.pub
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPkZxXgi280kakXdVwjygCvIs5chd
|
||||||
|
Ns/gANqNilq0OZDkmcAzeaKJRkRbiDjqNeW1JLv1CYwN/1olypEdVyjLoQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
Loading…
Reference in New Issue
Block a user