fix: enable SBOM generation and provenance in release workflow (#1547)

Signed-off-by: Michael Beemer <[email protected]>
open-feature · Feb 4, 2025 · c9b936e · c9b936e
1 parent ca663b5
commit c9b936e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 31 deletions.
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -108,6 +108,8 @@ jobs:
           context: .
           file: ./${{ matrix.path }}/build.Dockerfile
           platforms: linux/amd64,linux/arm64
+          provenance: mode=max
+          sbom: true
           push: true
           tags: |
             ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:latest
@@ -128,24 +130,12 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
 
-      - name: Generate image SBOM file name
-        id: image-sbom-file-gen
-        run: echo "IMG_SBOM_FILE=${{ format('{0}-{1}-sbom.spdx.json', matrix.path, env.VERSION) }}" >> $GITHUB_OUTPUT
-
-      - name: SBOM for latest image
-        uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:${{ env.VERSION }}
-          artifact-name: ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
-          output-file: ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
-
       - name: Bundle release assets
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           tag_name: ${{ env.TAG }}
           files: |
             ${{ env.PUBLIC_KEY_FILE }}
-            ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
 
   release-go-binaries:
     name: Create and publish binaries to GitHub
@@ -211,24 +201,6 @@ jobs:
         run: |
           env CGO_ENABLED=0 GOOS=windows GOARCH=386 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_windows_i386 ./${{ matrix.path }}/main.go
           zip -r ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Windows_i386.zip ./${{ matrix.path }}_windows_i386 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
-      # Bundle licenses
-      - name: Install go-licenses
-        run: go install github.com/google/go-licenses@latest
-      - name: Build license extraction locations
-        id: license-files
-        run: |
-          echo "LICENSE_FOLDER=${{ format('{0}-third-party-license', matrix.path) }}" >> $GITHUB_OUTPUT
-          echo "LICENSE_ERROR_FILE=${{ format('{0}-license-errors.txt', matrix.path) }}" >> $GITHUB_OUTPUT
-      - name: Run go-licenses for module ${{ matrix.path }}
-        run: go-licenses save ./${{ matrix.path }} --save_path=./${{ steps.license-files.outputs.LICENSE_FOLDER }} --force --logtostderr=false 2> ./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
-        continue-on-error: true # tool set stderr which can be ignored and referred through error artefact
-      - name: Bundle license extracts
-        run: |
-          if [ -d ./${{ steps.license-files.outputs.LICENSE_FOLDER }} ]; then
-            tar czf ./${{ steps.license-files.outputs.LICENSE_FOLDER }}.tar.gz ./${{ steps.license-files.outputs.LICENSE_FOLDER }}
-          else
-            echo "Directory ./${{ steps.license-files.outputs.LICENSE_FOLDER }} does not exist. Skipping tar creation."
-          fi
       # Bundle release artifacts
       - name: Bundle release assets
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
@@ -238,7 +210,6 @@ jobs:
             ./sbom.xml
             ./*.tar.gz
             ./*.zip
-            ./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
   homebrew:
     name: Bump homebrew-core formula
     needs: release-please

diff --git a/docs/faq.md b/docs/faq.md
@@ -33,6 +33,27 @@ Please see [architecture](./architecture.md) and [installation](./installation.m
 
 ---
 
+> How can I access the SBOM for flagd?
+
+SBOMs for the flagd binary are available as assets on the [GitHub release page](https://github.com/open-feature/flagd/releases).
+Container SBOMs can be inspected using the Docker CLI.
+
+An example of inspecting the SBOM for the latest flagd `linux/amd64` container image:
+
+```shell
+docker buildx imagetools inspect ghcr.io/open-feature/flagd:latest \
+    --format '{{ json (index .SBOM "linux/amd64").SPDX }}'
+```
+
+An example of inspecting the SBOM for the latest flagd `linux/arm64` container image:
+
+```shell
+docker buildx imagetools inspect ghcr.io/open-feature/flagd:latest \
+    --format '{{ json (index .SBOM "linux/arm64").SPDX }}'
+```
+
+---
+
 > Why doesn't flagd support {_my desired feature_}?
 
 Because you haven't opened a PR or created an issue!