From b0fd2462f5109e31fc4636a2314eef1a434efd68 Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Mon, 18 May 2026 18:01:44 +0200 Subject: [PATCH 1/5] Added sbom --- .github/workflows/release.yml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0534d82..b0e34c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,6 +123,7 @@ jobs: docker build --output "type=image,push=$PUSH" \ --provenance=false \ + --sbom=true \ --platform "linux/${ARCH_TAG}" \ --target="pimcore_php_$imageVariant" \ --build-arg PHP_VERSION="${PHP_VERSION}" \ @@ -131,6 +132,14 @@ jobs: docker inspect ${IMAGE_NAME}:${TAG} || true; + # Extract SBOM from the pushed image attestation + if [[ "$PUSH" == "true" ]]; then + mkdir -p sboms + docker buildx imagetools inspect "${IMAGE_NAME}:${TAG}" \ + --format '{{ json .SBOM.CycloneDX }}' > "sboms/sbom-${TAG}.cdx.json" || \ + echo "Warning: Could not extract SBOM for ${TAG}" + fi + # Only aggregate tags if we're publishing if [[ "$PUSH" == "true" ]]; then CLEAN_TAGS="${TAGS//-arm64/}" @@ -153,6 +162,13 @@ jobs: with: name: aggregated_tags_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} path: aggregated_tags.txt + + - name: Upload SBOMs + uses: actions/upload-artifact@v7 + with: + name: sboms_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} + path: sboms/ + if-no-files-found: ignore process-tags: runs-on: ubuntu-22.04 @@ -194,3 +210,23 @@ jobs: done + attach-sboms: + name: "Attach SBOMs to release" + runs-on: ubuntu-22.04 + needs: process-tags + if: (github.event_name != 'workflow_dispatch' || inputs.publish) && startsWith(github.ref, 'refs/tags/') + permissions: + contents: write + steps: + - name: Download all SBOMs + uses: actions/download-artifact@v8 + with: + pattern: sboms_* + path: all-sboms + merge-multiple: true + + - name: Attach SBOMs to GitHub release + uses: softprops/action-gh-release@v2 + with: + files: all-sboms/*.cdx.json + From bcac327fbb7c1fb09a5ae3c415b3dae1b215e5e6 Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Mon, 18 May 2026 18:03:27 +0200 Subject: [PATCH 2/5] Added sbom --- .github/workflows/release.yml | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b0e34c8..4ddfbbe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -208,25 +208,4 @@ jobs: docker manifest push "$tag" - done - - attach-sboms: - name: "Attach SBOMs to release" - runs-on: ubuntu-22.04 - needs: process-tags - if: (github.event_name != 'workflow_dispatch' || inputs.publish) && startsWith(github.ref, 'refs/tags/') - permissions: - contents: write - steps: - - name: Download all SBOMs - uses: actions/download-artifact@v8 - with: - pattern: sboms_* - path: all-sboms - merge-multiple: true - - - name: Attach SBOMs to GitHub release - uses: softprops/action-gh-release@v2 - with: - files: all-sboms/*.cdx.json - + done \ No newline at end of file From a7bf06359d5cd0949bb6ad8d9fc07f8380eace48 Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Fri, 29 May 2026 11:07:27 +0200 Subject: [PATCH 3/5] Cleanup sbom --- .github/workflows/release.yml | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4ddfbbe..8de5cb6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -132,14 +132,6 @@ jobs: docker inspect ${IMAGE_NAME}:${TAG} || true; - # Extract SBOM from the pushed image attestation - if [[ "$PUSH" == "true" ]]; then - mkdir -p sboms - docker buildx imagetools inspect "${IMAGE_NAME}:${TAG}" \ - --format '{{ json .SBOM.CycloneDX }}' > "sboms/sbom-${TAG}.cdx.json" || \ - echo "Warning: Could not extract SBOM for ${TAG}" - fi - # Only aggregate tags if we're publishing if [[ "$PUSH" == "true" ]]; then CLEAN_TAGS="${TAGS//-arm64/}" @@ -162,13 +154,6 @@ jobs: with: name: aggregated_tags_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} path: aggregated_tags.txt - - - name: Upload SBOMs - uses: actions/upload-artifact@v7 - with: - name: sboms_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }} - path: sboms/ - if-no-files-found: ignore process-tags: runs-on: ubuntu-22.04 @@ -186,7 +171,7 @@ jobs: uses: actions/download-artifact@v8 with: path: artifacts - + - name: Process tags run: | find artifacts -type f -name "aggregated_tags.txt" -exec cat {} + > all_aggregated_tags.txt @@ -201,11 +186,10 @@ jobs: for tag in "${!UNIQUE_TAGS[@]}"; do echo "Processing tag: $tag" - - docker manifest create "$tag" \ - --amend "${tag}-amd64" \ - --amend "${tag}-arm64" - docker manifest push "$tag" + docker buildx imagetools create \ + --tag "$tag" \ + "${tag}-amd64" \ + "${tag}-arm64" done \ No newline at end of file From 6ec56ab2f978095f1b21a2472993bed757044eaa Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Fri, 29 May 2026 11:23:00 +0200 Subject: [PATCH 4/5] Cleanup sbom --- .github/workflows/release.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8de5cb6..4712fea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,6 +49,9 @@ jobs: with: ref: ${{ matrix.build.tag }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + - name: Login to DockerHub Registry run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin @@ -121,7 +124,7 @@ jobs: TAGS="$TAGS --tag $GHCR_TAG_MAJOR" fi - docker build --output "type=image,push=$PUSH" \ + docker buildx build --output "type=image,push=$PUSH" \ --provenance=false \ --sbom=true \ --platform "linux/${ARCH_TAG}" \ From a014aabf69669e804987cd791b1f50664afb8422 Mon Sep 17 00:00:00 2001 From: "nebojsa.ilic" Date: Fri, 29 May 2026 11:54:49 +0200 Subject: [PATCH 5/5] Cleanup sbom --- .github/workflows/release.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4712fea..68bb241 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -164,6 +164,9 @@ jobs: if: github.event_name != 'workflow_dispatch' || inputs.publish steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + - name: Login to DockerHub Registry run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin @@ -190,9 +193,15 @@ jobs: echo "Processing tag: $tag" - docker buildx imagetools create \ - --tag "$tag" \ - "${tag}-amd64" \ - "${tag}-arm64" + # Verify both per-arch images exist in the registry before merging + if docker buildx imagetools inspect "${tag}-amd64" > /dev/null 2>&1 \ + && docker buildx imagetools inspect "${tag}-arm64" > /dev/null 2>&1; then + docker buildx imagetools create \ + --tag "$tag" \ + "${tag}-amd64" \ + "${tag}-arm64" + else + echo "Error: Missing per-arch image for $tag, skipping" + fi done \ No newline at end of file