From 39b39310df63588f6ad65a1cbd719b71e40139a7 Mon Sep 17 00:00:00 2001 From: Mateusz Wronski Date: Wed, 28 Jan 2026 14:11:25 +0100 Subject: [PATCH] chore: add SBOM generation and attachment for swagger images --- .github/workflows/docker-release-3.0.yml | 38 +++++++++++++++++++++ .github/workflows/docker-release-master.yml | 21 +++++++++++- 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-release-3.0.yml b/.github/workflows/docker-release-3.0.yml index 95c7e96a43f..b50772c1b7f 100644 --- a/.github/workflows/docker-release-3.0.yml +++ b/.github/workflows/docker-release-3.0.yml @@ -93,6 +93,44 @@ jobs: platforms: linux/amd64,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x provenance: false tags: swaggerapi/swagger-generator-v3-minimal:latest,swaggerapi/swagger-generator-v3-minimal:${{ env.TAG }} + - name: Install cosign + uses: sigstore/cosign-installer@v3.7.0 + - name: Generate SBOM for swagger-generator-v3 + uses: anchore/sbom-action@v0 + with: + image: swaggerapi/swagger-generator-v3:${{ env.TAG }} + format: spdx-json + output-file: swagger-generator-v3.spdx.json + - name: Attach SBOM to swagger-generator-v3 + run: | + cosign attach sbom --sbom swagger-generator-v3.spdx.json swaggerapi/swagger-generator-v3:${{ env.TAG }} + - name: Generate SBOM for swagger-generator-v3-root + uses: anchore/sbom-action@v0 + with: + image: swaggerapi/swagger-generator-v3-root:${{ env.TAG }} + format: spdx-json + output-file: swagger-generator-v3-root.spdx.json + - name: Attach SBOM to swagger-generator-v3-root + run: | + cosign attach sbom --sbom swagger-generator-v3-root.spdx.json swaggerapi/swagger-generator-v3-root:${{ env.TAG }} + - name: Generate SBOM for swagger-codegen-cli-v3 + uses: anchore/sbom-action@v0 + with: + image: swaggerapi/swagger-codegen-cli-v3:${{ env.TAG }} + format: spdx-json + output-file: swagger-codegen-cli-v3.spdx.json + - name: Attach SBOM to swagger-codegen-cli-v3 + run: | + cosign attach sbom --sbom swagger-codegen-cli-v3.spdx.json swaggerapi/swagger-codegen-cli-v3:${{ env.TAG }} + - name: Generate SBOM for swagger-generator-v3-minimal + uses: anchore/sbom-action@v0 + with: + image: swaggerapi/swagger-generator-v3-minimal:${{ env.TAG }} + format: spdx-json + output-file: swagger-generator-v3-minimal.spdx.json + - name: Attach SBOM to swagger-generator-v3-minimal + run: | + cosign attach sbom --sbom swagger-generator-v3-minimal.spdx.json swaggerapi/swagger-generator-v3-minimal:${{ env.TAG }} - name: deploy run: | echo "${{ env.TAG }}" diff --git a/.github/workflows/docker-release-master.yml b/.github/workflows/docker-release-master.yml index 797e26e3b51..029c638c7a5 100644 --- a/.github/workflows/docker-release-master.yml +++ b/.github/workflows/docker-release-master.yml @@ -2,7 +2,6 @@ name: Build And Push Docker Release Master on: workflow_dispatch: - branches: [ "master" ] inputs: tag: description: tag/version to release @@ -65,6 +64,26 @@ jobs: platforms: linux/amd64,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x provenance: false tags: swaggerapi/swagger-codegen-cli:${{ env.TAG }},swaggerapi/swagger-codegen-cli:latest + - name: Generate SBOM for generator image (SPDX-JSON) + uses: anchore/sbom-action@v0 + with: + image: swaggerapi/swagger-generator:${{ env.TAG }} + format: spdx-json + output-file: swagger-generator.spdx.json + - name: Generate SBOM for CLI image (SPDX-JSON) + uses: anchore/sbom-action@v0 + with: + image: swaggerapi/swagger-codegen-cli:${{ env.TAG }} + format: spdx-json + output-file: swagger-codegen-cli.spdx.json + - name: Install cosign + uses: sigstore/cosign-installer@v3.7.0 + - name: Attach SBOM to generator image using cosign + run: | + cosign attach sbom --sbom swagger-generator.spdx.json swaggerapi/swagger-generator:${{ env.TAG }} + - name: Attach SBOM to CLI image using cosign + run: | + cosign attach sbom --sbom swagger-codegen-cli.spdx.json swaggerapi/swagger-codegen-cli:${{ env.TAG }} - name: deploy run: | echo "${{ env.TAG }}"