From e7b47477d8a8a996f29209b6bfab05b47ab6fac2 Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Wed, 13 Dec 2023 06:12:19 +0000 Subject: [PATCH] ci: generate sbom and prov Signed-off-by: Sertac Ozercan --- .github/workflows/pre-release.yaml | 2 ++ .github/workflows/release.yaml | 2 ++ .github/workflows/update-models.yaml | 1 + 3 files changed, 5 insertions(+) diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index 37f3927f..09e1de53 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -51,6 +51,8 @@ jobs: tags: ghcr.io/sozercan/aikit:dev cache-from: type=gha,scope=aikit cache-to: type=gha,scope=aikit,mode=max + sbom: true + provenance: true - name: Sign the images with GitHub OIDC Token env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index af658bd2..99403138 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -60,6 +60,8 @@ jobs: ghcr.io/sozercan/aikit:latest cache-from: type=gha,scope=aikit cache-to: type=gha,scope=aikit,mode=max + sbom: true + provenance: true - name: Sign the images with GitHub OIDC Token env: diff --git a/.github/workflows/update-models.yaml b/.github/workflows/update-models.yaml index a2bfefdb..9c6985c7 100644 --- a/.github/workflows/update-models.yaml +++ b/.github/workflows/update-models.yaml @@ -61,6 +61,7 @@ jobs: docker buildx build . -t ghcr.io/sozercan/${MODEL_NAME}:${MODEL_SIZE}${MODEL_RUNTIME} \ -f models/${{ matrix.model }}.yaml \ --push --progress plain \ + --sbom=true --provenance=true \ --cache-from=type=gha,scope=${MODEL_NAME}-${MODEL_SIZE} \ --cache-to=type=gha,scope=${MODEL_NAME}-${MODEL_SIZE},mode=max echo "DIGEST=$(cosign triangulate ghcr.io/sozercan/${MODEL_NAME}:${MODEL_SIZE}${MODEL_RUNTIME} --type digest)" >> $GITHUB_ENV