mirror of
https://github.com/docker/build-push-action.git
synced 2024-11-06 00:35:53 -05:00
ci: inspect sbom and provenance
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
parent
b625868b13
commit
fae8018297
1 changed files with 39 additions and 19 deletions
58
.github/workflows/ci.yml
vendored
58
.github/workflows/ci.yml
vendored
|
|
@ -598,12 +598,24 @@ jobs:
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
attrs:
|
include:
|
||||||
- ''
|
- target: image
|
||||||
- mode=max
|
output: type=image,name=localhost:5000/name/app:latest,push=true
|
||||||
- builder-id=foo
|
attr: mode=max
|
||||||
- false
|
- target: image
|
||||||
- true
|
output: type=image,name=localhost:5000/name/app:latest,push=true
|
||||||
|
attr: ''
|
||||||
|
- target: binary
|
||||||
|
output: /tmp/buildx-build
|
||||||
|
attr: mode=max
|
||||||
|
- target: binary
|
||||||
|
output: /tmp/buildx-build
|
||||||
|
attr: ''
|
||||||
|
services:
|
||||||
|
registry:
|
||||||
|
image: registry:2
|
||||||
|
ports:
|
||||||
|
- 5000:5000
|
||||||
steps:
|
steps:
|
||||||
-
|
-
|
||||||
name: Checkout
|
name: Checkout
|
||||||
|
|
@ -622,11 +634,24 @@ jobs:
|
||||||
with:
|
with:
|
||||||
context: ./test/go
|
context: ./test/go
|
||||||
file: ./test/go/Dockerfile
|
file: ./test/go/Dockerfile
|
||||||
target: binary
|
target: ${{ matrix.target }}
|
||||||
outputs: type=oci,dest=/tmp/build.tar
|
outputs: ${{ matrix.output }}
|
||||||
provenance: ${{ matrix.attrs }}
|
provenance: ${{ matrix.attr }}
|
||||||
cache-from: type=gha,scope=provenance
|
-
|
||||||
cache-to: type=gha,scope=provenance,mode=max
|
name: Inspect Provenance
|
||||||
|
if: matrix.target == 'image'
|
||||||
|
run: |
|
||||||
|
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
|
||||||
|
-
|
||||||
|
name: Check output folder
|
||||||
|
if: matrix.target == 'binary'
|
||||||
|
run: |
|
||||||
|
tree /tmp/buildx-build
|
||||||
|
-
|
||||||
|
name: Print local Provenance
|
||||||
|
if: matrix.target == 'binary'
|
||||||
|
run: |
|
||||||
|
cat /tmp/buildx-build/provenance.json | jq
|
||||||
|
|
||||||
sbom:
|
sbom:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
@ -667,22 +692,17 @@ jobs:
|
||||||
cache-from: type=gha,scope=attests-${{ matrix.target }}
|
cache-from: type=gha,scope=attests-${{ matrix.target }}
|
||||||
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
|
cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
|
||||||
-
|
-
|
||||||
name: Inspect image
|
name: Inspect SBOM
|
||||||
if: matrix.target == 'image'
|
if: matrix.target == 'image'
|
||||||
run: |
|
run: |
|
||||||
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .}}'
|
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .SBOM}}'
|
||||||
-
|
-
|
||||||
name: Check output folder
|
name: Check output folder
|
||||||
if: matrix.target == 'binary'
|
if: matrix.target == 'binary'
|
||||||
run: |
|
run: |
|
||||||
tree /tmp/buildx-build
|
tree /tmp/buildx-build
|
||||||
-
|
-
|
||||||
name: Print provenance
|
name: Print local SBOM
|
||||||
if: matrix.target == 'binary'
|
|
||||||
run: |
|
|
||||||
cat /tmp/buildx-build/provenance.json | jq
|
|
||||||
-
|
|
||||||
name: Print SBOM
|
|
||||||
if: matrix.target == 'binary'
|
if: matrix.target == 'binary'
|
||||||
run: |
|
run: |
|
||||||
cat /tmp/buildx-build/sbom.spdx.json | jq
|
cat /tmp/buildx-build/sbom.spdx.json | jq
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue