Enhance release workflow with SBOM and signing#1227
Enhance release workflow with SBOM and signing#1227Helion55 wants to merge 3 commits intonetobserv:mainfrom
Conversation
Updated the release workflow to include SBOM generation and image signing.
|
Hi @Helion55. Thanks for your PR. I'm waiting for a netobserv member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
FYI I've run a test here: https://github.com/netobserv/flowlogs-pipeline/actions/runs/25151488067/job/73722871869 |
| # You may pin to the exact commit or the version. | ||
| # uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 |
There was a problem hiding this comment.
we should actually do exactly this, pin all tagged versions used here and in other actions to their digest sha
|
I've started another try after fixing an issue in the image name & multi-arch: https://github.com/netobserv/flowlogs-pipeline/actions/runs/25152829470/job/73727257890
|
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughRelease workflow adds SBOM generation and cryptographic image signing. Introduces configurable registry via environment variable, refactors Docker login to use it, and implements OIDC-based cosign signing, verification, provenance attestation, and SPDX SBOM generation with registry attestation. ChangesRelease Security Hardening
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsLinked repositories: Your configuration references 2 linked repositories, but your current plan allows 1. Analyzed Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 85-95: The workflow is using a non-existent output
steps.create_release.outputs.digest for cosign sign/verify and the
attest-build-provenance subject-digest; capture the image SHA digest from the
image build/push step (the job/step that actually pushes the container) and
expose it as an output (e.g., set an output like steps.build_push.outputs.digest
or job output), then replace all occurrences of
steps.create_release.outputs.digest with that digest output in the cosign sign,
cosign verify invocations and the with: subject-digest for
actions/attest-build-provenance@v3 so the signing/verifying and attestations use
the real image digest.
- Around line 83-114: The job lacks required GitHub Actions permissions causing
cosign and attestation steps to fail; add a job-level permissions block that
grants at minimum id-token: write (for cosign OIDC signing), attestations: write
(for actions/attest-build-provenance@v3 and actions/attest-sbom@v3), and
artifact-metadata: write (for push-to-registry metadata used by
anchore/sbom-action@v0 and the attest steps) placed before the steps that run
cosign sign/verify, the Attest Provenance step, the Generate SBOM step, and the
Attest SBOM step so those actions can obtain tokens and push metadata.
- Around line 83-113: The workflow uses WF_MULTIARCH_TARGETS directly in image
refs and a nonexistent steps.create_release.outputs.digest; fix by introducing a
single image-name variable (e.g., WF_IMAGE_NAME) that composes registry/org/tag
without WF_MULTIARCH_TARGETS and use that variable in all cosign, sbom and
attestation steps (references: WF_MULTIARCH_TARGETS, the cosign sign/verify
steps, anchore/sbom-action image input,
actions/attest-build-provenance/attest-sbom subject-name/subject-digest).
Replace the bogus steps.create_release.outputs.digest usage with the actual
image digest produced by the image push step (or the container build/push action
that exposes a digest output) and wire that output into subject-digest and
cosign commands (instead of create_release.outputs.digest). Finally add a
workflow-level permissions block granting id-token: write and attestations:
write so cosign and attestation actions can mint OIDC tokens (affects overall
workflow permissions section).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 55e4472a-278d-406d-8425-a2b6adcbcc03
📒 Files selected for processing (1)
.github/workflows/release.yml
| - name: Sign and verify the image with GitHub OIDC Token | ||
| run: | | ||
| cosign sign --yes ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }}@${{ steps.create_release.outputs.digest }} | ||
|
|
||
| cosign verify ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }}@${{ steps.create_release.outputs.digest }} \ | ||
| --certificate-identity=https://github.com/netobserv/flowlogs-pipeline/blob/main/.github/workflows/release.yml@refs/heads/main \ | ||
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com | ||
|
|
||
| - name: Attest Provenance attestations | ||
| uses: actions/attest-build-provenance@v3 | ||
| with: | ||
| subject-name: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| subject-digest: ${{ steps.create_release.outputs.digest }} | ||
| push-to-registry: true | ||
|
|
||
| - name: Generate SBOM | ||
| uses: anchore/sbom-action@v0 | ||
| with: | ||
| image: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| registry-username: ${{ env.WF_REGISTRY_USER }} | ||
| registry-password: ${{ secrets.QUAY_SECRET }} | ||
| format: 'spdx-json' | ||
| output-file: 'sbom.spdx.json' | ||
|
|
||
| - name: Attest SBOM | ||
| uses: actions/attest-sbom@v3 | ||
| id: attest | ||
| with: | ||
| subject-name: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| subject-digest: ${{ steps.create_release.outputs.digest }} | ||
| sbom-path: 'sbom.spdx.json' | ||
| push-to-registry: true |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check the release.yml file, particularly looking for permissions block
cat -n .github/workflows/release.yml | head -150Repository: netobserv/flowlogs-pipeline
Length of output: 5619
🌐 Web query:
actions/attest-build-provenance@v3 permissions required id-token
💡 Result:
For actions/attest-build-provenance@v3, the GitHub Actions job/workflow permissions you must set are: permissions: id-token: write attestations: write artifact-metadata: write The id-token: write permission is needed because the action mints an OIDC token to request a Sigstore signing certificate.[1] The attestations: write permission is needed to persist the attestation.[1] The artifact-metadata: write permission is required to generate artifact metadata storage records; if omitted, the action continues but won’t create the record.[1] Example job snippet (from the action docs): permissions: id-token: write contents: read attestations: write Note: that example omits artifact-metadata, but the README for the v3 action explicitly lists artifact-metadata: write as required for full metadata record generation.[1][2]
Citations:
- 1: https://github.com/actions/attest-build-provenance/blob/v3.2.0/README.md
- 2: https://github.com/actions/attest-build-provenance/tree/03fc44ed67c67cf2fb577046feff97b214b91b0b
🌐 Web query:
actions/attest-sbom@v3 permissions required attestations
💡 Result:
For actions/attest-sbom@v3, your GitHub Actions workflow job must grant these permissions to be able to create and store the SBOM attestation: - id-token: write [1][2] - Needed to mint the OIDC token so the action can request a Sigstore signing certificate. [1][2] - attestations: write [1][2] - Needed to persist the attestation. [1][2] Example: permissions: id-token: write attestations: write [1][2] If you’re using actions/attest-sbom specifically: it is a wrapper around actions/attest (so these permissions apply in v3). [3][4]
Citations:
- 1: https://github.com/actions/attest-sbom/tree/v3.0.0?tab=readme-ov-file
- 2: https://github.com/actions/attest-sbom/blob/25b3c0884a6f558d0eb9765e170a44600bad2743/README.md
- 3: https://github.com/actions/attest-sbom
- 4: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
🌐 Web query:
cosign sign GitHub OIDC id-token:write permissions
💡 Result:
To use Cosign keyless signing from GitHub Actions with GitHub OIDC, your workflow job must grant the id-token: write permission. Example workflow permissions: permissions: id-token: write # plus whatever other scopes you need (e.g., packages: write, contents: read) Evidence: Sigstore’s own GitHub Actions workflow for testing GitHub OIDC uses exactly permissions: id-token: write for the job that runs Cosign keyless signing [1]. The sigstore/docs signing overview also describes that Cosign supports automated environments using OIDC identity tokens from specific issuers, and (in GitHub’s case) the token comes from the workflow run context [2]. A concrete workflow example in the cosign-installer README likewise notes id-token: write is needed for signing images with the GitHub OIDC token [3]. What to run in the job - Install Cosign (e.g., with sigstore/cosign-installer) - Run cosign sign against the image digest or reference; the GitHub-issued OIDC token is used automatically in the workflow context (you typically don’t need to manually pass an OIDC token) [2][3]. If you are trying to control the OIDC issuer/provider flags - Be careful: the GitHub Actions OIDC flow uses GitHub’s token issuer (https://token.actions.githubusercontent.com). If you override the OIDC issuer/provider incorrectly, Cosign will fail because the received OIDC token is issued by a different provider than the expected one [4]. Answer to your query (permissions) - Grant: permissions.id-token = write (at least on the job that runs cosign sign) [1][3].
Citations:
- 1: https://github.com/sigstore/cosign/blob/main/.github/workflows/github-oidc.yaml
- 2: https://github.com/sigstore/docs/blob/main/content/en/cosign/signing/overview.md
- 3: https://github.com/sigstore/cosign-installer/blob/main/README.md
- 4: OIDC-Issuer flag ignored (Github Actions) sigstore/cosign#1258
Add permissions block to enable OIDC signing and attestations.
The job is missing required permissions: id-token: write (for cosign OIDC signing), attestations: write (for attest-build-provenance and attest-sbom), and artifact-metadata: write (for metadata storage when push-to-registry is used). Without these permissions, the signing and attestation steps will fail. Add a permissions block at the job level before these steps execute.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 83 - 114, The job lacks required
GitHub Actions permissions causing cosign and attestation steps to fail; add a
job-level permissions block that grants at minimum id-token: write (for cosign
OIDC signing), attestations: write (for actions/attest-build-provenance@v3 and
actions/attest-sbom@v3), and artifact-metadata: write (for push-to-registry
metadata used by anchore/sbom-action@v0 and the attest steps) placed before the
steps that run cosign sign/verify, the Attest Provenance step, the Generate SBOM
step, and the Attest SBOM step so those actions can obtain tokens and push
metadata.
| - name: Sign and verify the image with GitHub OIDC Token | ||
| run: | | ||
| cosign sign --yes ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }}@${{ steps.create_release.outputs.digest }} | ||
|
|
||
| cosign verify ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }}@${{ steps.create_release.outputs.digest }} \ | ||
| --certificate-identity=https://github.com/netobserv/flowlogs-pipeline/blob/main/.github/workflows/release.yml@refs/heads/main \ | ||
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com | ||
|
|
||
| - name: Attest Provenance attestations | ||
| uses: actions/attest-build-provenance@v3 | ||
| with: | ||
| subject-name: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| subject-digest: ${{ steps.create_release.outputs.digest }} | ||
| push-to-registry: true | ||
|
|
||
| - name: Generate SBOM | ||
| uses: anchore/sbom-action@v0 | ||
| with: | ||
| image: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| registry-username: ${{ env.WF_REGISTRY_USER }} | ||
| registry-password: ${{ secrets.QUAY_SECRET }} | ||
| format: 'spdx-json' | ||
| output-file: 'sbom.spdx.json' | ||
|
|
||
| - name: Attest SBOM | ||
| uses: actions/attest-sbom@v3 | ||
| id: attest | ||
| with: | ||
| subject-name: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| subject-digest: ${{ steps.create_release.outputs.digest }} | ||
| sbom-path: 'sbom.spdx.json' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Locate and inspect the release workflow
find . -name "release.yml" -path "*/.github/workflows/*" | head -5Repository: netobserv/flowlogs-pipeline
Length of output: 103
🏁 Script executed:
#!/bin/bash
# Get the full content of the release workflow to understand context
cat -n .github/workflows/release.ymlRepository: netobserv/flowlogs-pipeline
Length of output: 5619
🌐 Web query:
actions/create-release@v1 outputs digest
💡 Result:
The action actions/create-release@v1 does not define any output named “digest”. Its documented step outputs are: id, html_url, and upload_url.[1] Practical implication: if you use id: create_release, you can reference ${{ steps.create_release.outputs.upload_url }} (commonly used with actions/upload-release-asset), but there is no ${{ steps.create_release.outputs.digest }} output to read.[1]
Citations:
🌐 Web query:
actions/attest-build-provenance@v3 permissions requirements OIDC
💡 Result:
For actions/attest-build-provenance@v3, the workflow permissions needed are: permissions: id-token: write attestations: write artifact-metadata: write The action uses id-token: write to mint the OIDC token required to request a Sigstore signing certificate, attestations: write to persist the attestation, and artifact-metadata: write to generate artifact metadata storage records (the action continues without creating the record if artifact-metadata isn’t included). [1][2] OIDC-specific permission requirement: GitHub documents that to request an OIDC (JWT) token in a workflow/job, the job/workflow must grant id-token: write; without it, the OIDC JWT ID token cannot be requested. [3]
Citations:
- 1: https://github.com/actions/attest-build-provenance/blob/v3.2.0/README.md
- 2: https://github.com/actions/attest-build-provenance/tree/03fc44ed67c67cf2fb577046feff97b214b91b0b
- 3: https://docs.github.com/en/actions/reference/security/oidc
🌐 Web query:
actions/attest-sbom@v3 permissions requirements
💡 Result:
For actions/attest-sbom@v3, the workflow job permissions required are: permissions: id-token: write attestations: write The id-token: write permission is required so the action can mint the OIDC token used to request a Sigstore signing certificate, and the attestations: write permission is required to persist the SBOM attestation to GitHub. [1][2] Example (job-level): jobs: attest: permissions: id-token: write attestations: write Notes: - actions/attest-sbom is deprecated in favor of actions/attest, but the v3 permission requirements above are stated in the action’s documentation for the relevant versions. [3]
Citations:
- 1: https://github.com/actions/attest-sbom/tree/v3.0.0?tab=readme-ov-file
- 2: https://github.com/actions/attest-sbom/blob/25b3c0884a6f558d0eb9765e170a44600bad2743/README.md
- 3: https://github.com/actions/attest-sbom
Fix malformed image references and add required workflow permissions.
The image reference on lines 85, 87, 94, 101, 111 interpolates WF_MULTIARCH_TARGETS (which expands to amd64 arm64 ppc64le s390x), producing invalid OCI references. Create a dedicated image-name variable instead. Additionally, actions/create-release@v1 does not output a digest field—it only provides id, html_url, and upload_url. The cosign sign/verify steps and attestation actions (lines 85–113) will fail because they reference the nonexistent steps.create_release.outputs.digest. Finally, add a workflow-level permissions block granting id-token: write and attestations: write (required by the attestation actions to mint OIDC tokens).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 83 - 113, The workflow uses
WF_MULTIARCH_TARGETS directly in image refs and a nonexistent
steps.create_release.outputs.digest; fix by introducing a single image-name
variable (e.g., WF_IMAGE_NAME) that composes registry/org/tag without
WF_MULTIARCH_TARGETS and use that variable in all cosign, sbom and attestation
steps (references: WF_MULTIARCH_TARGETS, the cosign sign/verify steps,
anchore/sbom-action image input, actions/attest-build-provenance/attest-sbom
subject-name/subject-digest). Replace the bogus
steps.create_release.outputs.digest usage with the actual image digest produced
by the image push step (or the container build/push action that exposes a digest
output) and wire that output into subject-digest and cosign commands (instead of
create_release.outputs.digest). Finally add a workflow-level permissions block
granting id-token: write and attestations: write so cosign and attestation
actions can mint OIDC tokens (affects overall workflow permissions section).
| cosign sign --yes ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }}@${{ steps.create_release.outputs.digest }} | ||
|
|
||
| cosign verify ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }}@${{ steps.create_release.outputs.digest }} \ | ||
| --certificate-identity=https://github.com/netobserv/flowlogs-pipeline/blob/main/.github/workflows/release.yml@refs/heads/main \ | ||
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com | ||
|
|
||
| - name: Attest Provenance attestations | ||
| uses: actions/attest-build-provenance@v3 | ||
| with: | ||
| subject-name: ${{ env.WF_REGISTRY_NAME }}/${{ env.WF_MULTIARCH_TARGETS }}/${{ env.WF_ORG }}/${{ env.tag }} | ||
| subject-digest: ${{ steps.create_release.outputs.digest }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/release.yml | head -150Repository: netobserv/flowlogs-pipeline
Length of output: 5619
🌐 Web query:
actions/create-release@v1 outputs documentation
💡 Result:
For actions/create-release@v1, the step outputs are the release fields returned by the GitHub Releases API. In the action documentation, these outputs are: - id: The release ID [1] - html_url: The URL users can navigate to view the release [1] - upload_url: The URL for uploading assets to the release [1] Example usage (accessing step outputs): - ${{ steps.<step_id>.outputs.id }} - ${{ steps.<step_id>.outputs.html_url }} - ${{ steps.<step_id>.outputs.upload_url }} [1] Note: the docs also show “For more information on these outputs, see the API Documentation for an example of what these outputs look like” [1].
Citations:
steps.create_release.outputs.digest does not exist and these commands will fail.
actions/create-release@v1 only outputs id, html_url, and upload_url. The digest must come from the image build/push step (line 43) and be threaded through as an output variable. This breaks cosign signing (lines 85, 87) and both attestation steps (lines 95, 112).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 85 - 95, The workflow is using a
non-existent output steps.create_release.outputs.digest for cosign sign/verify
and the attest-build-provenance subject-digest; capture the image SHA digest
from the image build/push step (the job/step that actually pushes the container)
and expose it as an output (e.g., set an output like
steps.build_push.outputs.digest or job output), then replace all occurrences of
steps.create_release.outputs.digest with that digest output in the cosign sign,
cosign verify invocations and the with: subject-digest for
actions/attest-build-provenance@v3 so the signing/verifying and attestations use
the real image digest.
2 participants
Updated the release workflow to include SBOM generation and image signing.
Description
Added new jobs in
release.ymlworkflow,Solves: netobserv/netobserv-operator#2490 (comment)
Summary by CodeRabbit