@@ -70,13 +70,18 @@ jobs:
7070 cargo binstall cargo-component --force --version ${{ env.CARGO_COMPONENT_VERSION }}
7171 cargo binstall wkg --force
7272 cargo binstall cargo-auditable cargo-audit
73+ cargo binstall auditable2cdx
7374
7475name : Build the component
7576 run : cargo auditable component build --release
7677
7778 - name : Normalize COMPONENT_NAME and Append .wasm
7879 run : echo "COMPONENT_NAME_UNDERSCORED=${COMPONENT_NAME//-/_}.wasm" >> $GITHUB_ENV
7980
81+ - name : Extract the SBOM from the component
82+ if : github.event_name != 'workflow_dispatch'
83+ run : auditable2cdx target/wasm32-wasip1/release/${{ env.COMPONENT_NAME_UNDERSCORED }} >> ${ env.COMPONENT_NAME }.spdx.json
84+
8085 - name : Publish `:<version>` to GitHub Container Registry
8186 if : github.event_name != 'workflow_dispatch'
8287 id : publish_versioned
9499 if : github.event_name != 'workflow_dispatch'
95100 run : cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_versioned.outputs.digest }}
96101
102+ - name : Sign the SBOM for the versioned Wasm component
103+ if : github.event_name != 'workflow_dispatch'
104+ run : cosign attest --type spdxjson --predicate ${ env.COMPONENT_NAME }.spdx.json ${{ steps.publish_versioned.outputs.digest }}
105+
97106 - name : Publish `:latest` release to GitHub Container Registry
98107 if : github.event_name != 'workflow_dispatch'
99108 id : publish_latest
@@ -111,3 +120,6 @@ jobs:
111120 if : github.event_name != 'workflow_dispatch'
112121 run : cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_latest.outputs.digest }}
113122
123+ - name : Sign the SBOM for the latest Wasm component
124+ if : github.event_name != 'workflow_dispatch'
125+ run : cosign attest --type spdxjson --predicate ${ env.COMPONENT_NAME }.spdx.json ${{ steps.publish_latest.outputs.digest }}
0 commit comments