Merge pull request #5 from MuseIT-project/fix/sbom

tvanerven · web-flow · commit 325fb1e69e88 · 2025-07-21T11:24:33.000+03:00
Fix/SBOM
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -2,7 +2,7 @@ name: Build and Deploy to RKE2
 
 on:
   push:
-    branches: [ "master" ]
+    branches: [ "master", 'fix/sbom' ]
 
 jobs:
   build:
@@ -17,25 +17,13 @@ jobs:
         username: ${{ secrets.HARBOR_USERNAME }}
         password: ${{ secrets.HARBOR_PASSWORD }}
 
-    - name: Create Python SBOM
-      run: |
-        python -m pip install --upgrade pip
-        pip install cyclonedx-bom
-        pip install -r requirements.txt
-        cyclonedx-bom -r requirements.txt -o sbom-python.xml
-
-    - name: Install cosign
-      run: |
-        curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-          -o cosign
-        chmod +x cosign
-        sudo mv cosign /usr/local/bin/
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3.9.2
 
     - name: Install oras
-      run: |
-        curl -sSfL https://github.com/oras-project/oras/releases/latest/download/oras_1.1.0_linux_amd64.tar.gz \
-          | tar -xz
-        sudo mv oras /usr/local/bin/
+      uses: oras-project/setup-oras@v1
+      with:
+        version: 1.2.3
 
     - name: Build and Push Docker image
       run: |
@@ -44,23 +32,18 @@ jobs:
         docker push harbor.wizardtower.dev/museit/museit-docs:latest
         docker push harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA
 
-    - name: Push SBOM to Harbor
-      run: |
-        oras push harbor.wizardtower.dev/museit/museit-docs/sbom:latest \
-          --manifest-config sbom-python.xml:application/xml \
-          sbom-python.xml:application/xml
-        oras push harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA \
-          --manifest-config sbom-python.xml:application/xml \
-          sbom-python.xml:application/xml
-
-    - name: Sign SBOM with Cosign
+    - name: Sign images with Cosign
       env:
-        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
       run: |
-        echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
         cosign sign \
-          --key cosign.key \
-          harbor.wizardtower.dev/museit/museit-docs/sbom:$GITHUB_SHA
+          --yes \
+          --key env://COSIGN_PRIVATE_KEY \
+          harbor.wizardtower.dev/museit/museit-docs:latest
+        cosign sign \
+          --yes \
+          --key env://COSIGN_PRIVATE_KEY \
+          harbor.wizardtower.dev/museit/museit-docs:$GITHUB_SHA
 
   deploy:
     runs-on: [ self-hosted, linux, rke2, wizardtower ]
