feat(ci): add BST-native SBOM, keyless cosign signing, and SLSA attes…#187
feat(ci): add BST-native SBOM, keyless cosign signing, and SLSA attes…#187castrojo wants to merge 2 commits intoprojectbluefin:mainfrom
Conversation
…tations Adds supply-chain security to the dakota CI pipeline: - SBOM: uses buildstream-sbom (pinned to 0706fec3) to generate SPDX 2.3 JSON directly from BST element metadata. Captures the full ~8300 package dep tree including GNOME/GTK/systemd from junctions — unlike syft which can only fingerprint binaries in the rootfs and misses source-built packages. Mounts ~/.config/buildstream-generate as a persistent volume so the gnome-build-meta secureboot key generation (generated.py plugin) is cached across container runs; a prime step ensures cold-cache builds work in one pass. - Signing: keyless cosign via Sigstore OIDC (no private key, no SIGNING_SECRET). Signature bound to the GitHub Actions identity, recorded in Rekor. - SBOM attachment: ORAS attaches sbom.json as an OCI referrer (type application/vnd.spdx+json), then signs the referrer keylessly. - Provenance: SLSA build provenance via actions/attest v4.1.0. - Local targets: `just sbom` generates the SPDX 2.3 SBOM locally; `just verify` checks cosign signature, SBOM referrer, and SLSA attestation against a pushed image. Action versions (cross-checked against ublue-os/bazzite): sigstore/cosign-installer v4.1.1 (cosign v2.6.1) oras-project/setup-oras v2.0.0 actions/attest v4.1.0 Note: artifact-metadata: write is org-only; personal forks will show startup_failure here (expected). Full pipeline runs on projectbluefin org. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces new Justfile recipes for generating a BuildStream-native SBOM and verifying supply-chain security using Cosign, ORAS, and SLSA. Feedback highlights opportunities to reduce duplication in container configurations, improve the efficiency of the SBOM tool installation by avoiding repeated Git clones, and resolve redundant logic and variable naming inconsistencies in the image verification script.
| podman run --rm \ | ||
| --privileged \ | ||
| --device /dev/fuse \ | ||
| --network=host \ | ||
| -v "{{justfile_directory()}}:/src:rw" \ | ||
| -v "${HOME}/.cache/buildstream:/root/.cache/buildstream:rw" \ | ||
| -v "${HOME}/.config/buildstream-generate:/root/.config/buildstream-generate:rw" \ | ||
| -w /src \ | ||
| "{{bst2_image}}" \ |
There was a problem hiding this comment.
The podman run configuration (flags and volume mounts) is duplicated multiple times within this recipe and also matches the bst recipe. This duplication makes the Justfile harder to maintain and prone to errors when updating volume mounts or container settings. Consider defining the common flags in a global just variable to ensure consistency across all recipes that invoke the BuildStream container.
| pip install --quiet \ | ||
| git+https://gitlab.com/BuildStream/buildstream-sbom.git@0706fec3bedf6f73bd9d2fed32c2aed585feef8d |
There was a problem hiding this comment.
Installing buildstream-sbom from Git on every execution of the sbom recipe is inefficient and makes the process dependent on external network availability. Since the container is run with --rm, the installation is not persisted. Consider using a container image that already includes the tool or caching the installation via a persistent volume mount for the Python environment.
| IMAGE="${1:-$IMAGE_REGISTRY/$IMAGE_NAME:latest}" | ||
| IMAGE="${image_ref:-${IMAGE_REGISTRY:-ghcr.io/projectbluefin}/{{image_name}}:{{image_tag}}}" |
There was a problem hiding this comment.
The assignment to IMAGE on line 641 is redundant as it is immediately overwritten by the logic on line 642. Additionally, line 641 references $IMAGE_NAME, but the variable exported at the top of the file is image_name (lowercase).
IMAGE="${image_ref:-${IMAGE_REGISTRY:-ghcr.io/projectbluefin}/{{image_name}}:{{image_tag}}}"
2 participants
Ok so we can't use syft for sboms since it's expecting RPMs, found this: https://gitlab.com/BuildStream/buildstream-sbom
https://fosdem.org/2026/schedule/event/P9FNH3-buildstream-sbom/
Confirmed this worked locally:
Agent notes:
SBOM: uses buildstream-sbom (pinned to 0706fec3) to generate SPDX 2.3 JSON directly from BST element metadata. Captures the full ~8300 package dep tree including GNOME/GTK/systemd from junctions — unlike syft which can only fingerprint binaries in the rootfs and misses source-built packages. Mounts ~/.config/buildstream-generate as a persistent volume so the gnome-build-meta secureboot key generation (generated.py plugin) is cached across container runs; a prime step ensures cold-cache builds work in one pass.
Signing: keyless cosign via Sigstore OIDC (no private key, no SIGNING_SECRET). Signature bound to the GitHub Actions identity, recorded in Rekor.
SBOM attachment: ORAS attaches sbom.json as an OCI referrer (type application/vnd.spdx+json), then signs the referrer keylessly.
Provenance: SLSA build provenance via actions/attest v4.1.0.
Local targets:
just sbomgenerates the SPDX 2.3 SBOM locally;just verifychecks cosign signature, SBOM referrer, and SLSA attestation against a pushed image.Action versions (cross-checked against ublue-os/bazzite):
sigstore/cosign-installer v4.1.1 (cosign v2.6.1)
oras-project/setup-oras v2.0.0
actions/attest v4.1.0
Note: artifact-metadata: write is org-only; personal forks will show startup_failure here (expected). Full pipeline runs on projectbluefin org.