WIP: try pushing sbom

Author: elelaysh

.github/workflows/stackhpc-container-image-build.yml

@@ -170,6 +170,16 @@ jobs:
           ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
           curl -sL "https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_${ARCH}.tar.gz" | tar xz && sudo mv yq_linux_${ARCH} /usr/bin/yq
 
+      - name: Install regctl
+        run: |
+          ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+          declare -A regctl_checksums
+          regctl_checksums+=([amd64]=d3de5d4e1bc4d771a56a835294f597815b67bb6c0c32462a8aa880e2ba831620 [arm64]=7caec09213a98e9e1b3c5f8aa4cfa1b6c12b5e3e96bfbb441b2289a4e6ba9758)
+          wget https://github.com/regclient/regclient/releases/download/v0.11.1/"regctl-linux-${ARCH}"
+          sha256sum -c <<<"${regctl_checksums[$ARCH]} regctl-linux-${ARCH}" || exit 1
+          chmod +x "regctl-linux-${ARCH}"
+          sudo mv "regctl-linux-${ARCH} /usr/bin/regctl
+
       - name: Install Kayobe
         run: |
           mkdir -p venvs &&
@@ -298,10 +308,18 @@ jobs:
           kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/docker-registry-login.yml &&
 
           while read -r image; do
+            filename=$(basename "$image" | sed 's/:/\./g')
+            imagename=$(echo "$filename" | cut -d "." -f 1 | sed 's/-/_/g')
+            sbom="image-build-logs/image-scan-output/${imagename}/${filename}-sbom.json"
             # Retries!
             for i in {1..5}; do
               if docker push $image; then
                 echo "Pushed $image"
+                if [ -f "$sbom" ]; then
+                  echo "Pushing sbom for $image"
+                  regctl -v debug artifact put --artifact-type application/spdx+json --subject "$image" < "$sbom"
+                  echo "Pushed sbom for $image"
+                fi
                 break
               elif [ $i -eq 5 ] ; then
                 echo "Failed to push $image"