veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1

ci: cosign keyless sigs, SBOM, provenance + fedora digest pin #7

Merged
s8n merged 3 commits from feat/sre-cosign-sbom-attestation into main 2026-05-06 13:47:28 +01:00
Conversation 0 Commits 3 Files changed 1 +34 -1
1 changed files with 34 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 0a1b81a9e0 - Show all commits

35
.github/workflows/build-iso.yml vendored
View file

@ -20,7 +20,9 @@ on:
types: [published]
permissions:
contents: write # needed for action-gh-release to create+update ci-latest
contents: write # needed for action-gh-release to create+update ci-latest
id-token: write # cosign keyless OIDC + attest-build-provenance
attestations: write # attest-build-provenance writes the attestation
jobs:
build:
@ -197,6 +199,34 @@ jobs:
echo "[OK] split into:"
ls "${ISO}".part-*
- name: Install cosign
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: sigstore/cosign-installer@v3
- name: Sign ISO parts (keyless)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
run: |
cd build/out
for f in *.part-*; do
cosign sign-blob --yes "$f" \
--output-signature "$f.sig" \
--output-certificate "$f.pem"
done
- name: Generate SBOM (SPDX)
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: anchore/sbom-action@v0
with:
path: build/out
format: spdx-json
output-file: build/out/veilor-os.spdx.json
- name: Build provenance attestation
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
uses: actions/attest-build-provenance@v2
with:
subject-path: 'build/out/*.iso.part-*'
- name: Publish to ci-latest rolling prerelease
if: success() && github.ref == 'refs/heads/main'
uses: softprops/action-gh-release@v2
@ -220,6 +250,9 @@ jobs:
files: |
build/out/*.iso.part-*
build/out/*.sha256
build/out/*.sig
build/out/*.pem
build/out/*.spdx.json
# Build log on failure: print inline + skip artifact upload to avoid
# quota wall. Job log retains everything anyway.