Bump k8s.io/apimachinery from 0.27.4 to 0.28.1 #865

Workflow file for this run

	name: Validate SBOMs

	on:
	pull_request:
	branches:
	- 'main'

	env:
	SPDX_TOOLS_VERSION: 1.1.0

	jobs:
	cyclonedx:
	name: Validate CycloneDX SBOM
	runs-on: ubuntu-latest

	env:
	KO_DOCKER_REPO: localhost:1338

	steps:
	- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
	with:
	go-version: '1.21'
	check-latest: true
	- uses: chainguard-dev/actions/setup-registry@main
	- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
	- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

	- name: Install CycloneDX
	run: \|
	wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.22.0/cyclonedx-linux-x64
	chmod +x cyclonedx-linux-x64

	- name: Generate and Validate
	run: \|
	cosign download sbom $(go run ./ build --sbom=cyclonedx) \| tee cyclonedx.json
	./cyclonedx-linux-x64 validate --input-file=cyclonedx.json --fail-on-errors

	- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	if: ${{ always() }}
	with:
	name: cyclonedx.json
	path: cyclonedx.json

	spdx:
	name: Validate SPDX SBOM
	runs-on: ubuntu-latest

	env:
	KO_DOCKER_REPO: localhost:1338

	steps:
	- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
	with:
	go-version: '1.20'
	check-latest: true
	- uses: chainguard-dev/actions/setup-registry@main
	- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
	- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

	- name: Install SPDX Tools
	run: \|
	wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
	unzip tools-java-${SPDX_TOOLS_VERSION}.zip

	- name: Generate and Validate
	run: \|
	cosign download sbom $(go run ./ build) \| tee spdx.json
	java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx.json

	- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	if: ${{ always() }}
	with:
	name: spdx.json
	path: spdx.json

	spdx-multi-arch:
	name: Validate SPDX multi-arch SBOM
	runs-on: ubuntu-latest

	env:
	KO_DOCKER_REPO: localhost:1338

	steps:
	- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
	with:
	go-version: '1.21'
	check-latest: true
	- uses: chainguard-dev/actions/setup-registry@main
	- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
	- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

	- name: Install SPDX Tools
	run: \|
	wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
	unzip tools-java-${SPDX_TOOLS_VERSION}.zip

	- name: Generate and Validate
	run: \|
	img=$(go run ./ build --platform=linux/amd64,linux/arm64)
	cosign download sbom $img \| tee spdx-multi-arch.json

	java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx-multi-arch.json

	- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	if: ${{ always() }}
	with:
	name: spdx-multi-arch.json
	path: spdx-multi-arch.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump k8s.io/apimachinery from 0.27.4 to 0.28.1 #865

Workflow file

Bump k8s.io/apimachinery from 0.27.4 to 0.28.1 #865

Jobs

Run details

Workflow file for this run