Skip to content

add support for signing image and SBOM#24

Open
ramantehlan wants to merge 3 commits into
mainfrom
feat/image-signing-sbom
Open

add support for signing image and SBOM#24
ramantehlan wants to merge 3 commits into
mainfrom
feat/image-signing-sbom

Conversation

@ramantehlan

@ramantehlan ramantehlan commented Jul 15, 2026

Copy link
Copy Markdown

Note

Medium Risk
Changes affect shared CI used by many repos; misconfigured OIDC permissions or registry cosign support could break opt-in signing/SBOM steps without affecting default builds.

Overview
Extends the reusable build.yml image pipeline with optional supply-chain attestations after push: callers can turn on keyless cosign signing (enable_sign) and Syft-generated SPDX SBOM attestations (enable_sbom), both targeting the pushed manifest by digest for JFrog and/or Public ECR when those registries are enabled.

The workflow now surfaces the image digest as a reusable output (from the build step) so downstream jobs can pin or verify repo@sha256:…. New post-push steps install cosign/Syft when needed, fail fast on an empty digest, and document that callers must grant id-token: write for OIDC keyless signing.

README is updated with the new inputs, the digest output, usage with permissions, and example cosign verify / attestation commands.

Reviewed by Cursor Bugbot for commit 724aa16. Bugbot is set up for automated code reviews on this repo. Configure here.

Signed-off-by: Raman Tehlan <ramantehlan@gmail.com>
Comment thread .github/workflows/build.yml
Wire jobs.build.outputs.digest through on.workflow_call.outputs so
caller workflows can read needs.<job>.outputs.digest as documented.

Co-authored-by: Raman Tehlan <ramantehlan@gmail.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit cb84f88. Configure here.

Comment thread .github/workflows/build.yml
anchore/sbom-action/download-syft exposes the binary via the cmd
output rather than relying on PATH. Give the install step an id and
invoke that path so enable_sbom does not fail with command not found.

Co-authored-by: Raman Tehlan <ramantehlan@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants