From 46880738d6965a63bcf0d03d5ed8f5b0e8886400 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Sun, 10 Mar 2024 14:55:22 +0100
Subject: [PATCH] ci: generate sbom and provenance

---
 .github/workflows/build.yml | 21 +++++++++++++++++++++
 Dockerfile                  |  2 ++
 2 files changed, 23 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 017a0d24..4073e082 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -114,11 +114,26 @@ jobs:
         uses: docker/bake-action@v4
         with:
           targets: artifact
+          provenance: mode=max
+          sbom: true
           pull: true
           set: |
             *.platform=${{ matrix.platform }}
             *.cache-from=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }}
             *.cache-to=type=gha,scope=artifact-${{ env.PLATFORM_PAIR }},mode=max
+      -
+        name: Rename provenance and sbom
+        working-directory: ${{ env.DESTDIR }}/artifact
+        run: |
+          binname=$(find . -name 'diun_*')
+          filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
+          mv "provenance.json" "${filename}.provenance.json"
+          mv "sbom-binary.spdx.json" "${filename}.sbom.json"
+          find . -name 'sbom*.json' -exec rm {} \;
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
       -
         name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -143,6 +158,10 @@ jobs:
           path: ${{ env.DESTDIR }}
           pattern: diun-*
           merge-multiple: true
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -231,6 +250,8 @@ jobs:
             ./docker-bake.hcl
             ${{ steps.meta.outputs.bake-file }}
           targets: image-all
+          provenance: mode=max
+          sbom: true
           pull: true
           push: ${{ github.event_name != 'pull_request' }}
           set: |
diff --git a/Dockerfile b/Dockerfile
index 46578a22..c76ad420 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -62,6 +62,8 @@ COPY --link --from=build /usr/bin/diun /diun.exe
 FROM binary-unix AS binary-darwin
 FROM binary-unix AS binary-linux
 FROM binary-$TARGETOS AS binary
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS build-artifact
 RUN apk add --no-cache bash tar zip