From b0fd2462f5109e31fc4636a2314eef1a434efd68 Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Mon, 18 May 2026 18:01:44 +0200 Subject: [PATCH 1/2] Added sbom --- .github/workflows/release.yml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0534d82..b0e34c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,6 +123,7 @@ jobs: docker build --output "type=image,push=$PUSH" \ --provenance=false \ + --sbom=true \ --platform "linux/${ARCH_TAG}" \ --target="pimcore_php_$imageVariant" \ --build-arg PHP_VERSION="${PHP_VERSION}" \ @@ -131,6 +132,14 @@ jobs: docker inspect ${IMAGE_NAME}:${TAG} || true; + # Extract SBOM from the pushed image attestation + if [[ "$PUSH" == "true" ]]; then + mkdir -p sboms + docker buildx imagetools inspect "${IMAGE_NAME}:${TAG}" \ + --format '{{ json .SBOM.CycloneDX }}' > "sboms/sbom-${TAG}.cdx.json" || \ + echo "Warning: Could not extract SBOM for ${TAG}" + fi + # Only aggregate tags if we're publishing if [[ "$PUSH" == "true" ]]; then CLEAN_TAGS="${TAGS//-arm64/}" @@ -153,6 +162,13 @@ jobs: with: name: aggregated_tags_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} path: aggregated_tags.txt + + - name: Upload SBOMs + uses: actions/upload-artifact@v7 + with: + name: sboms_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} + path: sboms/ + if-no-files-found: ignore process-tags: runs-on: ubuntu-22.04 @@ -194,3 +210,23 @@ jobs: done + attach-sboms: + name: "Attach SBOMs to release" + runs-on: ubuntu-22.04 + needs: process-tags + if: (github.event_name != 'workflow_dispatch' || inputs.publish) && startsWith(github.ref, 'refs/tags/') + permissions: + contents: write + steps: + - name: Download all SBOMs + uses: actions/download-artifact@v8 + with: + pattern: sboms_* + path: all-sboms + merge-multiple: true + + - name: Attach SBOMs to GitHub release + uses: softprops/action-gh-release@v2 + with: + files: all-sboms/*.cdx.json + From bcac327fbb7c1fb09a5ae3c415b3dae1b215e5e6 Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Mon, 18 May 2026 18:03:27 +0200 Subject: [PATCH 2/2] Added sbom --- .github/workflows/release.yml | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b0e34c8..4ddfbbe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -208,25 +208,4 @@ jobs: docker manifest push "$tag" - done - - attach-sboms: - name: "Attach SBOMs to release" - runs-on: ubuntu-22.04 - needs: process-tags - if: (github.event_name != 'workflow_dispatch' || inputs.publish) && startsWith(github.ref, 'refs/tags/') - permissions: - contents: write - steps: - - name: Download all SBOMs - uses: actions/download-artifact@v8 - with: - pattern: sboms_* - path: all-sboms - merge-multiple: true - - - name: Attach SBOMs to GitHub release - uses: softprops/action-gh-release@v2 - with: - files: all-sboms/*.cdx.json - + done \ No newline at end of file