karapace/scripts/generate-sbom.sh at bb03d3adad65614144eec001d8f26a1e5d44d655 - marcoallegretti/karapace - Marco's Code Hub (Forgejo): an attempt to group together the code from my projects and those I contribute to

marcoallegretti/karapace

mirror of https://github.com/marcoallegretti/karapace.git synced 2026-03-26 21:43:09 +00:00

Marco Allegretti bb03d3adad ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds

- .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve,
  build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl),
  cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract
- .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish
- .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign,
  verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal,
  adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script,
  adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable
- .github/actions/karapace-build/action.yml — reusable build action
- .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility
- CI_CONTRACT.md — required jobs list enforced by ci-contract gate job
- scripts/generate-sbom.sh — CycloneDX SBOM generation
- CARGO_INCREMENTAL=0 globally, cargo clean before all release builds
- Cosign keyless signing with GitHub Actions OIDC
- 32 total CI jobs across 3 workflows

2026-02-22 18:39:00 +01:00

10 lines

270 B

Bash

Executable file

Raw Blame History

 #!/usr/bin/env bash
 set -euo pipefail
 command -v cargo-cyclonedx >/dev/null 2>&1 || {
     echo "Installing cargo-cyclonedx..."
     cargo install cargo-cyclonedx --locked
 }
 cargo cyclonedx --format json --output-prefix karapace
 echo "SBOM written to karapace_bom.json"