Add SBOM generation workflow#1710
Open
gianlucam76 wants to merge 3 commits intoprojectsveltos:mainfrom
Open
Conversation
Contributor
|
If we are implementing SBOM support, why not also implement cosign? |
When a ClusterProfile is edited to simultaneously change the cluster selector (deselecting a cluster) and switch the sync mode to DryRun, the expected behavior is for a ClusterReport to be generated showing what resources would be removed. Instead, two bugs caused this to fail silently: Bug 1: When a cluster stopped matching, the system immediately marked the ClusterSummary for deletion. This triggered actual undeploy logic before DryRun mode could take effect, leaving no ClusterReport behind. Bug 2: In DryRun ClusterSummary must not be deleted. If the profile change is reverted, goal is for Sveltos to remove nothing. Fix: When a cluster stops matching a profile that is in DryRun mode: - The ClusterSummary is kept alive rather than deleted, but its deployable content (Helm charts, policy refs, kustomization refs) is cleared and its sync mode is updated to DryRun atomically in a single update. This ensures the reconciler treats it as a DryRun from the moment it next runs. - A ClusterReport is created immediately so the DryRun reconciliation has something to write its diff into. - The ClusterConfiguration for the deselected cluster is left intact so the reconciler can access it during DryRun processing. If the user reverts the selector change, the ClusterSummary is still present and can be restored without an unnecessary undeploy/redeploy cycle. If the user commits the change by switching off DryRun, the normal deletion and cleanup path runs as expected.
On every v* tag push this workflow:
- Builds and pushes a multi-arch (amd64 + arm64) image to Docker Hub using docker buildx
- Signs the image with cosign keyless signing (no key management required,
identity is tied to the GitHub Actions OIDC token)
- Generates an SBOM by scanning the pushed image (capturing base image packages in addition
to Go dependencies)
- Attaches the SBOM as a signed DSSE attestation to the image in the Docker Hub registry
- Uploads the SBOM files (spdx-json, cyclonedx-json) to the GitHub release as a convenience
for consumers that don't use OCI tooling
Any user can verify the image and SBOM came from this repo's CI and were not tampered with:
```
cosign verify \
--certificate-identity-regexp \
"https://github.com/projectsveltos/addon-controller/.github/workflows/release.yaml@refs/tags/v.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
docker.io/projectsveltos/addon-controller:VERSION
cosign verify-attestation --type spdxjson \
--certificate-identity-regexp \
"https://github.com/projectsveltos/addon-controller/.github/workflows/release.yaml@refs/tags/v.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
docker.io/projectsveltos/addon-controller:VERSION
```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generate SPDX and CycloneDX SBOMs on every release tag using syft, and attach them as assets to the GitHub release.