Added sbom#246
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation to the Docker release workflow: enables --sbom=true during docker build, extracts the CycloneDX SBOM from the pushed image via docker buildx imagetools inspect, and uploads the resulting JSON files as a build artifact per matrix entry.
Changes:
- Enable SBOM attestations in the
docker buildstep. - Extract the CycloneDX SBOM from the pushed image into
sboms/sbom-<TAG>.cdx.json. - Add an
actions/upload-artifact@v7step to publish thesboms/directory.
Comments suppressed due to low confidence (2)
.github/workflows/release.yml:140
docker buildx imagetools inspect ${IMAGE_NAME}:${TAG}inspects the multi-arch manifest list at the registry. At this point in the loop, only the current architecture (linux/${ARCH_TAG}) has been pushed to that tag — the other architecture is pushed by a separate matrix job. Depending on timing/ordering between the two arch runners, the.SBOM.CycloneDXfield for${TAG}(which already contains-${ARCH_TAG}) should be a single-platform SBOM, but the--format '{{ json .SBOM.CycloneDX }}'output for a single-platform image is keyed by platform (e.g.{"linux/amd64": {...}}), not a bare CycloneDX document. The resultingsbom-*.cdx.jsonwill therefore not be a valid CycloneDX file consumable by standard tooling. Consider using--format '{{ json (index .SBOM "linux/<arch>").SPDX }}'-style indexing, ordocker buildx imagetools inspect --rawplus extraction, to produce a real CycloneDX document.
docker buildx imagetools inspect "${IMAGE_NAME}:${TAG}" \
--format '{{ json .SBOM.CycloneDX }}' > "sboms/sbom-${TAG}.cdx.json" || \
echo "Warning: Could not extract SBOM for ${TAG}"
.github/workflows/release.yml:171
- The "Upload SBOMs" step has no
if:condition, unlike the immediately preceding "Upload aggregated tags" step (line 160) which is gated ongithub.event_name != 'workflow_dispatch' || inputs.publish. When a user triggers the workflow viaworkflow_dispatchwithpublish: false,PUSHwill befalse, the SBOM extraction block at line 136 is skipped, andsboms/will not exist —if-no-files-found: ignorewill avoid a hard failure, but the step still runs unnecessarily and clutters the run with an empty/skipped artifact. For consistency with the adjacent upload step, consider adding the sameif:guard.
- name: Upload SBOMs
uses: actions/upload-artifact@v7
with:
name: sboms_${{ matrix.runner }}_${{ matrix.build.tag }}_${{ matrix.build.php }}_${{ matrix.build.distro }}_${{ matrix.build.version-override }}_${{ matrix.build.latest-tag }}
path: sboms/
if-no-files-found: ignore
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| docker build --output "type=image,push=$PUSH" \ | ||
| --provenance=false \ | ||
| --sbom=true \ |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
.github/workflows/release.yml:134
- The PR description states that this change extracts the CycloneDX SBOM from each image's attestation, writes it under
sboms/, and uploads the SBOM files as build artifacts. However, the diff only adds--sbom=trueto thedocker buildx buildinvocation; there are no steps that extract the SBOM (e.g. viadocker buildx imagetools inspect ... --format '{{ json .SBOM }}') or upload it viaactions/upload-artifact. Either the SBOM extraction/upload steps are missing from this PR, or the description should be updated to reflect that only SBOM generation during the build is being enabled.
docker buildx build --output "type=image,push=$PUSH" \
--provenance=false \
--sbom=true \
--platform "linux/${ARCH_TAG}" \
--target="pimcore_php_$imageVariant" \
--build-arg PHP_VERSION="${PHP_VERSION}" \
--build-arg DEBIAN_VERSION="${DEBIAN_VERSION}" \
${TAGS} .
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.github/workflows/release.yml:134
- Switching from
docker buildtodocker buildx buildchanges where the resulting image ends up. With--output type=image,push=falseand the defaultdocker-containerbuildx driver (whichsetup-buildx-actionconfigures), the built image is kept in the builder's cache and is not loaded into the local Docker daemon. As a consequence, the subsequentdocker inspect ${IMAGE_NAME}:${TAG}on line 136 will always fail whenPUSH=false(it is currently hidden by|| true), making the inspect step useless for dry-run/workflow_dispatch runs withoutpublish. If the intent is to keepdocker inspectworking in non-publishing runs, add--load(and drop the second platform/SBOM in that path) or switch totype=dockerwhenPUSH=false.
docker buildx build --output "type=image,push=$PUSH" \
--provenance=false \
--sbom=true \
--platform "linux/${ARCH_TAG}" \
--target="pimcore_php_$imageVariant" \
--build-arg PHP_VERSION="${PHP_VERSION}" \
--build-arg DEBIAN_VERSION="${DEBIAN_VERSION}" \
${TAGS} .
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the Docker image build and release workflow in
.github/workflows/release.ymlto fully adopt Docker Buildx and improve multi-architecture image handling. The main changes involve switching to Buildx for building and merging images, adding build provenance and SBOM generation, and improving safety checks for image manifests.Build system modernization:
docker buildtodocker buildx buildfor building images, enabling advanced features and multi-platform support.docker/setup-buildx-action@v4step to set up Docker Buildx in relevant jobs. [1] [2]Build output and security enhancements:
--sbom=trueto the build command, and explicitly disabled provenance with--provenance=false.Multi-architecture image publishing improvements:
docker manifest create/pushwithdocker buildx imagetools create, and added a check to ensure both per-architecture images exist before merging them into a manifest. This prevents manifest creation if an image is missing.