Skip to content

ci(release): generate SPDX SBOM for published Docker images and upload as a workflow artifact#2620

Open
olamilekan000 wants to merge 1 commit intomainfrom
add-sbom-artefact-to-releases
Open

ci(release): generate SPDX SBOM for published Docker images and upload as a workflow artifact#2620
olamilekan000 wants to merge 1 commit intomainfrom
add-sbom-artefact-to-releases

Conversation

@olamilekan000
Copy link
Copy Markdown
Contributor

@olamilekan000 olamilekan000 commented Apr 6, 2026 

change adds an SBOM job to the image workflow after images are pushed.
SBOM is generated for each image and attached to the workflow artifacts. 
This makes it easier to trace exactly which packages and dependencies are included in a built image,
helping with vulnerability scanning, auditing, and supply chain verification.

@olamilekan000 olamilekan000 changed the title chore(ci): generate SPDX SBOM for published Docker images and upload as a workflow artifact ci(release): generate SPDX SBOM for published Docker images and upload as a workflow artifact Apr 6, 2026
subomi
subomi reviewed Apr 7, 2026
View reviewed changes
Comment thread .github/workflows/build-image.yml Outdated
fi

- name: Generate SPDX SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610
Copy link
Copy Markdown
Collaborator

@subomi subomi Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olamilekan000, add a code comment for the action tag.

Copy link
Copy Markdown
Contributor Author

@olamilekan000 olamilekan000 Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like their version?

subomi
subomi reviewed Apr 7, 2026
View reviewed changes
Comment thread .github/workflows/build-image.yml Outdated
upload-release-assets: false

- name: Upload SBOM artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
Copy link
Copy Markdown
Collaborator

@subomi subomi Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olamilekan000, does this correctly attach to the uploaded Docker image?

Copy link
Copy Markdown
Contributor Author

@olamilekan000 olamilekan000 Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this only includes it as part of the release artefact. Should we also include as part of the image?

@olamilekan000 olamilekan000 force-pushed the add-sbom-artefact-to-releases branch from 5aea373 to 3ef56af Compare April 7, 2026 10:21
@olamilekan000 olamilekan000 force-pushed the add-sbom-artefact-to-releases branch from 3ef56af to 92225c5 Compare April 7, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@subomi subomi subomi left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@olamilekan000 @subomi