.github/workflows/sbom.yml

name: Generate SBOMs

on:
  workflow_call:
    inputs:
      image-digest:
        type: string
        required: true

jobs:
  sbom:
    name: Generate SBOM, sign and attach them to OCI image
    strategy:
      matrix:
        arch: [amd64, arm64]

    permissions:
      packages: write
      id-token: write

    runs-on: ubuntu-latest
    steps:
      # this is required to obtain the syft configuration
      - name: Checkout code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install cosign
        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0

      - name: Install the syft command
        uses: kubewarden/github-actions/syft-installer@006574f6fc951a9f7207ea524ea9463cc92c1527 # v3.1.15

      - name: Install the crane command
        uses: kubewarden/github-actions/crane-installer@006574f6fc951a9f7207ea524ea9463cc92c1527 # v3.1.15

      - name: Login to GitHub Container Registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Find platform digest
        shell: bash
        run: |
          set -e
          DIGEST=$(crane digest \
            --platform "linux/${{ matrix.arch }}" \
            ghcr.io/${{ github.repository_owner }}/policy-server@${{ inputs.image-digest }})
          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

      - name: Create SBOM file
        shell: bash
        run: |
          syft \
            -o spdx-json \
            --file policy-server-sbom-${{ matrix.arch }}.spdx \
            ghcr.io/${{ github.repository_owner }}/policy-server@${{ env.PLATFORM_DIGEST }}

      - name: Sign SBOM file
        run: |
          cosign sign-blob --yes \
            --output-certificate policy-server-sbom-${{ matrix.arch }}.spdx.cert \
            --output-signature policy-server-sbom-${{ matrix.arch }}.spdx.sig \
            policy-server-sbom-${{ matrix.arch }}.spdx

      - name: Attach SBOM file in the container image
        shell: bash
        run: |
          cosign attach \
            sbom --sbom policy-server-sbom-${{ matrix.arch }}.spdx \
            ghcr.io/${{ github.repository_owner }}/policy-server@${{ env.PLATFORM_DIGEST }}

      - name: Sign SBOM file pushed to OCI registry
        shell: bash
        run: |
          set -e
          SBOM_TAG="$(echo ${{ env.PLATFORM_DIGEST }} | sed -e 's/:/-/g').sbom"

          cosign sign --yes \
            ghcr.io/${{github.repository_owner}}/policy-server:${SBOM_TAG}

      - name: Upload SBOMs as artifacts
        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
        with:
          name: sbom-${{ matrix.arch }}
          path: policy-server-sbom-${{ matrix.arch }}*