diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0534d82..4ddfbbe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,6 +123,7 @@ jobs: docker build --output "type=image,push=$PUSH" \ --provenance=false \ + --sbom=true \ --platform "linux/${ARCH_TAG}" \ --target="pimcore_php_$imageVariant" \ --build-arg PHP_VERSION="${PHP_VERSION}" \ @@ -131,6 +132,14 @@ jobs: docker inspect ${IMAGE_NAME}:${TAG} || true; + # Extract SBOM from the pushed image attestation + if [[ "$PUSH" == "true" ]]; then + mkdir -p sboms + docker buildx imagetools inspect "${IMAGE_NAME}:${TAG}" \ + --format '{{ json .SBOM.CycloneDX }}' > "sboms/sbom-${TAG}.cdx.json" || \ + echo "Warning: Could not extract SBOM for ${TAG}" + fi + # Only aggregate tags if we're publishing if [[ "$PUSH" == "true" ]]; then CLEAN_TAGS="${TAGS//-arm64/}" @@ -153,6 +162,13 @@ jobs: with: name: aggregated_tags_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} path: aggregated_tags.txt + + - name: Upload SBOMs + uses: actions/upload-artifact@v7 + with: + name: sboms_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} + path: sboms/ + if-no-files-found: ignore process-tags: runs-on: ubuntu-22.04 @@ -192,5 +208,4 @@ jobs: docker manifest push "$tag" - done - + done \ No newline at end of file