fix(ci): ensure sbom failure doesn't brick container creation

This commit is contained in:
Kjeld Schouten
2025-04-09 12:59:53 +02:00
parent ae234ca50f
commit f39ee0a99b
2 changed files with 5 additions and 2 deletions
+4 -2
View File
@@ -302,17 +302,19 @@ jobs:
cosign verify quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/public/.github/workflows/containers.build.yaml@refs/heads/master
- name: Generate SBOM
id: generate_sbom
if: github.event_name != 'pull_request'
continue-on-error: true
run: |
syft "quay.io/tccr/${{ matrix.container }}:v${{ steps.prep.outputs.version }}@${{ steps.push.outputs.digest }}" -o spdx-json=${{ matrix.container }}-sbom-spdx.json
- name: Attach SBOM to image
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request' && steps.generate_sbom.outcome == 'success'
run: |
cosign attest --predicate ${{ matrix.container }}-sbom-spdx.json --type spdx "quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }}" -y
- name: Verify SBOM attestation
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request' && steps.generate_sbom.outcome == 'success'
run: |
cosign verify-attestation quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --type https://spdx.dev/Document --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/containers/.github/workflows/containers.build.yaml@refs/heads/master | jq '.payload |= @base64d | .payload | fromjson'