Generate sboms for all images

.github/generate-sboms.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -euox pipefail
+
+SBOMS_DIR=${SBOMS_DIR:-"./sboms"}
+RECRUIT_IMAGES=$(yq .services.*.image <docker-compose/docker-compose.yaml)
+
+mkdir -p "$SBOMS_DIR"
+
+for IMAGE_NAME in $RECRUIT_IMAGES; do
+    SLUGIFIED_IMAGE_NAME=$(echo "$IMAGE_NAME" | iconv -t ascii//TRANSLIT | sed -r s/[^a-zA-Z0-9]+/-/g | sed -r s/^-+\|-+$//g | tr '[:upper:]' '[:lower:]')
+    trivy image --format=cyclonedx --security-checks=vuln --output="${SBOMS_DIR}/${SLUGIFIED_IMAGE_NAME}.cdx.json" "${IMAGE_NAME}"
+done

.github/workflows/release.yaml

@@ -6,21 +6,67 @@ on:
       - master
 
 jobs:
-  release:
-    name: Release
+  prepare-artifacts:
+    name: Prepare Artifacts
     runs-on: ubuntu-22.04
+    container: ghcr.io/chgl/kube-powertools:v1.19.12@sha256:e4a83ff88d1a8da75bdd9d3a7ba408a4cecc0da2088b8b1191bcb7e0f296a21c
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-        with:
-          fetch-depth: 0
 
       - name: Build Docker Compose deployment bundle
         run: |
           mkdir -p dist/
           cp -r docker-compose/ dist/
           tar -C dist -zcvf dist/recruit-docker-compose.tar.gz docker-compose/
 
+      - name: Build SBOM bundle from container images
+        run: |
+          ./.github/generate-sboms.sh
+          cp -r sboms/ dist/
+          tar -C dist -zcvf dist/recruit-container-sboms.tar.gz sboms/
+
+      - name: Generate SLSA subject for Docker Compose and SBOM bundles
+        id: hash
+        working-directory: dist
+        run: |
+          sha256sum recruit-docker-compose.tar.gz recruit-container-sboms.tar.gz > recruit-hashes.sha256
+          echo "::set-output name=hashes::$(base64 -w0 < recruit-hashes.sha256)"
+
+      - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        with:
+          name: release-assets
+          path: dist/*.tar.gz
+
+  provenance:
+    needs:
+      - prepare-artifacts
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    # can't be referenced by digest. See <https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance>
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.prepare-artifacts.outputs.hashes }}"
+
+  release:
+    name: Release
+    runs-on: ubuntu-22.04
+    needs:
+      - prepare-artifacts
+      - provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
+
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@e1fe1fc00a3729593e87efb2f88475de76d64a24 # tag=v3.1.1
         with:

.gitignore

@@ -2,3 +2,5 @@
 site/
 
 megalinter-reports/
+
+dist/

.releaserc.json

@@ -39,9 +39,19 @@
       {
         "assets": [
           {
-            "path": "dist/recruit-docker-compose.tar.gz",
-            "label": "Docker Compose Deployment Bundle",
+            "path": "attestation.intoto.jsonl/attestation.intoto.jsonl",
+            "label": "provenance-${nextRelease.gitTag}.intoto.jsonl",
+            "name": "provenance-${nextRelease.gitTag}.intoto.jsonl"
+          },
+          {
+            "path": "release-assets/recruit-docker-compose.tar.gz",
+            "label": "recruit-docker-compose-${nextRelease.gitTag}.tar.gz",
             "name": "recruit-docker-compose-${nextRelease.gitTag}.tar.gz"
+          },
+          {
+            "path": "release-assets/recruit-container-sboms.tar.gz",
+            "label": "recruit-container-sboms-${nextRelease.gitTag}.tar.gz",
+            "name": "recruit-container-sboms-${nextRelease.gitTag}.tar.gz"
           }
         ]
       }

.renovaterc.json

@@ -20,7 +20,7 @@
       "extends": ["schedule:monthly"]
     },
     {
-      "matchPackagePrefixes": ["ghcr.io/miracum/recruit"],
+      "matchPackagePatterns": ["^ghcr.io/miracum/recruit"],
       "extends": ["schedule:daily"]
     }
   ]