From 016c06769a430d8b92046c42cac1fb399ab9dca1 Mon Sep 17 00:00:00 2001
From: John Garbutt <john.garbutt@stackhpc.com>
Date: Fri, 10 Nov 2023 10:46:26 +0000
Subject: [PATCH 1/3] Add sbom generation

---
 docker-multiarch-build-push/action.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docker-multiarch-build-push/action.yml b/docker-multiarch-build-push/action.yml
index c6ca2af..38c1b4b 100644
--- a/docker-multiarch-build-push/action.yml
+++ b/docker-multiarch-build-push/action.yml
@@ -105,6 +105,14 @@ runs:
       with:
         sarif_file: 'trivy-results.sarif'
 
+    - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.split.outputs.TAG }}
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
     # Sign the resulting Docker image digest except on PRs.
     # This will only write to the public Rekor transparency log when the Docker
     # repository is public to avoid leaking data.  If you would like to publish

From 06fd6f00f53733a686ca40d9c761a060a5615590 Mon Sep 17 00:00:00 2001
From: John Garbutt <john.garbutt@stackhpc.com>
Date: Fri, 10 Nov 2023 10:54:06 +0000
Subject: [PATCH 2/3] Fix up syntax

---
 docker-multiarch-build-push/action.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docker-multiarch-build-push/action.yml b/docker-multiarch-build-push/action.yml
index 38c1b4b..4d8b9a0 100644
--- a/docker-multiarch-build-push/action.yml
+++ b/docker-multiarch-build-push/action.yml
@@ -106,12 +106,12 @@ runs:
         sarif_file: 'trivy-results.sarif'
 
     - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ steps.split.outputs.TAG }}
-          format: 'github'
-          output: 'dependency-results.sbom.json'
-          github-pat: ${{ secrets.GITHUB_TOKEN }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ steps.split.outputs.TAG }}
+        format: 'github'
+        output: 'dependency-results.sbom.json'
+        github-pat: ${{ secrets.GITHUB_TOKEN }}
 
     # Sign the resulting Docker image digest except on PRs.
     # This will only write to the public Rekor transparency log when the Docker

From 6c98780bc0f7842a35937aa53cac916f54ac5e1d Mon Sep 17 00:00:00 2001
From: John Garbutt <john.garbutt@stackhpc.com>
Date: Fri, 10 Nov 2023 10:58:43 +0000
Subject: [PATCH 3/3] Attempt to make github_token work

---
 docker-multiarch-build-push/action.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docker-multiarch-build-push/action.yml b/docker-multiarch-build-push/action.yml
index 4d8b9a0..b163d01 100644
--- a/docker-multiarch-build-push/action.yml
+++ b/docker-multiarch-build-push/action.yml
@@ -35,6 +35,11 @@ inputs:
     description: If true cosign is used to sign the image
     required: false
     default: 'false'
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+  contents: write
+
 runs:
   using: composite
   steps: