SBOM file generation.

Adds new steps in the build and release workflow to generate, sign and
publish a SBOM file for Policy Server.

.github/workflows/container-image.yml

@@ -1,4 +1,4 @@
-name: Build container image
+name: Build policy server
 on:
   push:
     branches:
@@ -28,6 +28,9 @@ jobs:
     needs:
       - ci
     steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
       - name: Configure Ubuntu repositories
         run: |
           sudo dpkg --add-architecture arm64
@@ -82,11 +85,36 @@ jobs:
           cargo build --release --target ${{ matrix.targetarch }}-unknown-linux-musl
           mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server policy-server-${{ matrix.targetarch }}
 
-      - name: Upload policy-server
+      - name: Generate SBOM
+        run: |
+          make sbom
+          # SBOM files should have "sbom" in the name due the CLO monitor
+          # https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom
+          cp bom-cargo.json policy-server-${{ matrix.targetarch }}-sbom.spdx.json
+
+      - name: Sign BOM file
+        run: |
+          cosign sign-blob --output-certificate policy-server-${{ matrix.targetarch }}-sbom.spdx.cert \
+            --output-signature policy-server-${{ matrix.targetarch }}-sbom.spdx.sig \
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.json
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Upload policy-server binary
         uses: actions/upload-artifact@v2
         with:
           name: policy-server-${{ matrix.targetarch }}
-          path: policy-server-${{ matrix.targetarch }}
+          path: |
+            policy-server-${{ matrix.targetarch }}
+
+      - name: Upload policy-server SBOM files
+        uses: actions/upload-artifact@v2
+        with:
+          name: policy-server-${{ matrix.targetarch }}-sbom
+          path: |
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.json
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.cert
+            policy-server-${{ matrix.targetarch }}-sbom.spdx.sig
 
   build-container-image:
     name: Build policy server container image

.github/workflows/release.yml

@@ -1,23 +1,49 @@
-name: policy-server release
+name: Release policy server
 on:
-  push:
-    tags:
-    - 'v*'
+  workflow_run:
+    workflows: ["Build policy server"]
+    types:
+      - completed
+    branches:
+      - "v*"
 jobs:
-  ci:
-    uses: kubewarden/policy-server/.github/workflows/tests.yml@main
   release:
     name: Create release
     runs-on: ubuntu-latest
-    needs:
-      - ci
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
+      - name: Download build artifacts
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            const matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name.startsWith("policy-server")
+            });
+            for (const artifact of matchArtifact) {
+              let download = await github.rest.actions.downloadArtifact({
+                 owner: context.repo.owner,
+                 repo: context.repo.repo,
+                 artifact_id: artifact.id,
+                 archive_format: 'zip',
+              });
+              let fs = require('fs');
+              file_path = `${process.env.GITHUB_WORKSPACE}/${artifact.name}.zip`;
+              fs.writeFileSync(file_path, Buffer.from(download.data));
+            }
+
       - name: Create release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release policy-server ${{ github.ref }}
+          tag_name: ${{ github.event.workflow_run.head_branch }}
+          name: Release policy-server ${{ github.event.workflow_run.head_branch }}
           draft: false
-          prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }}
+          prerelease: ${{ contains(github.event.workflow_run.head_branch, '-alpha') || contains(github.event.workflow_run.head_branch, '-beta') || contains(github.event.workflow_run.head_branch, '-rc') }}
+          files: |
+            policy-server*

.gitignore

@@ -1 +1,3 @@
-/target
+/target
+spdx-sbom-generator*
+bom-cargo.json

Cargo.toml

@@ -2,9 +2,11 @@
 name = "policy-server"
 version = "1.1.2"
 authors = [
+  "Kubewarden",
   "Flavio Castelli <fcastelli@suse.com>",
   "Rafael Fernández López <rfernandezlopez@suse.com>",
-  "Víctor Cuadrado Juan <vcuadradojuan@suse.de>"
+  "Víctor Cuadrado Juan <vcuadradojuan@suse.de>",
+  "José Guilherme Vanz <jguilhermevanz@suse.com>"
 ]
 edition = "2018"
 

Makefile

@@ -31,3 +31,12 @@ tag:
 .PHONY: docker-build
 docker-build: test ## Build docker image with the manager.
 	docker build -t ${IMG} .
+
+spdx-sbom-generator:
+	curl -L -O https://github.com/opensbom-generator/spdx-sbom-generator/releases/download/v0.0.15/spdx-sbom-generator-v0.0.15-linux-amd64.tar.gz
+	tar -xf spdx-sbom-generator-v0.0.15-linux-amd64.tar.gz
+
+
+.PHONY: sbom-generator
+sbom: spdx-sbom-generator
+	./spdx-sbom-generator -f json

README.md

@@ -119,3 +119,10 @@ Alternatively, the `policy-server` binary can be built in this way:
 ```shell
 $ make build
 ```
+
+# Software bill of materials
+
+Policy server has its software bill of materials (SBOM) published every release.
+It follows the [SPDX](https://spdx.dev/) version 2.2 format and it can be found
+together with the signature and certificate used to signed it in the
+[release assets](https://github.com/kubewarden/policy-server/releases)