karapace/scripts/generate-sbom.sh

#!/usr/bin/env bash
set -euo pipefail

command -v cargo-cyclonedx >/dev/null 2>&1 || {
    echo "Installing cargo-cyclonedx..."
    cargo install cargo-cyclonedx@0.5.7 --locked
}

cargo cyclonedx --format json --override-filename karapace_bom
echo "SBOM written to karapace_bom.cdx.json"
ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds - .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve, build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl), cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract - .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish - .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign, verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal, adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script, adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable - .github/actions/karapace-build/action.yml — reusable build action - .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility - CI_CONTRACT.md — required jobs list enforced by ci-contract gate job - scripts/generate-sbom.sh — CycloneDX SBOM generation - CARGO_INCREMENTAL=0 globally, cargo clean before all release builds - Cosign keyless signing with GitHub Actions OIDC - 32 total CI jobs across 3 workflows 2026-02-22 17:39:00 +00:00			`#!/usr/bin/env bash`
			`set -euo pipefail`

			`command -v cargo-cyclonedx >/dev/null 2>&1 \|\| {`
			`echo "Installing cargo-cyclonedx..."`
fix supply chain: bump cargo-cyclonedx 0.5.7, fix SBOM generation, fix rmeta test - Bump cargo-cyclonedx from 0.5.5 to 0.5.7 (supports lockfile v4) - Generate SBOM for karapace-cli crate only (single predictable file) - Fix --output-prefix → --override-filename (CLI change in 0.5.x) - Fix rmeta tampering test: accept build failure as valid defense (cargo rejects corrupted .rmeta with compilation errors) 2026-02-22 19:31:08 +00:00			`cargo install cargo-cyclonedx@0.5.7 --locked`
ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds - .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve, build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl), cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract - .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish - .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign, verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal, adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script, adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable - .github/actions/karapace-build/action.yml — reusable build action - .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility - CI_CONTRACT.md — required jobs list enforced by ci-contract gate job - scripts/generate-sbom.sh — CycloneDX SBOM generation - CARGO_INCREMENTAL=0 globally, cargo clean before all release builds - Cosign keyless signing with GitHub Actions OIDC - 32 total CI jobs across 3 workflows 2026-02-22 17:39:00 +00:00			`}`

fix supply chain: bump cargo-cyclonedx 0.5.7, fix SBOM generation, fix rmeta test - Bump cargo-cyclonedx from 0.5.5 to 0.5.7 (supports lockfile v4) - Generate SBOM for karapace-cli crate only (single predictable file) - Fix --output-prefix → --override-filename (CLI change in 0.5.x) - Fix rmeta tampering test: accept build failure as valid defense (cargo rejects corrupted .rmeta with compilation errors) 2026-02-22 19:31:08 +00:00			`cargo cyclonedx --format json --override-filename karapace_bom`
			`echo "SBOM written to karapace_bom.cdx.json"`