From 8913530b65bdb883a94f8b33ed14e5ccfa4a15b9 Mon Sep 17 00:00:00 2001 From: arewm Date: Thu, 19 Dec 2024 15:00:30 -0500 Subject: [PATCH] Optionally skip SBOM generation Since we can require SBOMs to be present with EC policies, we can enable users to optionally speed up their builds by not analyzing repositories to generate build-time SBOMs. While we may have a partial SBOM from the prefetched data, we should just not upload an SBOM at all in order to simplify decisions (i.e. removing the need to decide if the SBOM is full or partial). Signed-off-by: arewm --- .../README.md | 1 + pipelines/docker-build-oci-ta/README.md | 1 + pipelines/docker-build/README.md | 1 + pipelines/fbc-builder/README.md | 1 + task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 17 ++++ task/buildah-remote-oci-ta/0.2/README.md | 3 + .../0.2/buildah-remote-oci-ta.yaml | 17 ++++ task/buildah-remote/0.2/README.md | 3 + task/buildah-remote/0.2/buildah-remote.yaml | 17 ++++ task/buildah/0.2/README.md | 80 +++++++++---------- task/buildah/0.2/buildah.yaml | 17 +++- 12 files changed, 116 insertions(+), 43 deletions(-) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index ecc2ac3f9f..a7539f6042 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |LABELS| Additional key=value labels that should be applied to the image| []| | |PLATFORM| The platform to build on| None| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index f9b3f8b35f..8bd7e4ece2 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -58,6 +58,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index bf5f15cf5d..c364887d97 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -57,6 +57,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index c2510879fd..541886e09f 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -61,6 +61,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |LABELS| Additional key=value labels that should be applied to the image| []| | |PLATFORM| The platform to build on| None| | |PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 1718940ae7..8e5b5ada25 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -23,6 +23,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |LABELS|Additional key=value labels that should be applied to the image|[]|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 47505c94fb..c52000e9dd 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -82,6 +82,11 @@ spec: be made available to the build. type: string default: "" + - name: SKIP_SBOM_GENERATION + description: Skip SBOM-related operations. This will likely cause EC + policies to fail if enabled + type: string + default: "false" - name: SKIP_UNUSED_STAGES description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -618,6 +623,10 @@ spec: - mountPath: /shared name: shared script: | + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json" echo "Running syft on the image filesystem" @@ -656,6 +665,10 @@ spec: image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:adbe6c723810099c5cf616b1edb8ab6f276385fd2f97dfd201ab3ccc6402b834 workingDir: /var/workdir script: | + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" python3 /scripts/merge_syft_sboms.py @@ -700,6 +713,10 @@ spec: readOnly: true script: | #!/bin/bash + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then diff --git a/task/buildah-remote-oci-ta/0.2/README.md b/task/buildah-remote-oci-ta/0.2/README.md index 2a1df3de99..b27209b2fb 100644 --- a/task/buildah-remote-oci-ta/0.2/README.md +++ b/task/buildah-remote-oci-ta/0.2/README.md @@ -21,7 +21,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |HERMETIC|Determines if build will be executed without network access.|false|false| |IMAGE|Reference of the image buildah will produce.||true| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|LABELS|Additional key=value labels that should be applied to the image|[]|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| @@ -34,6 +36,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| |PLATFORM|The platform to build on||true| +|IMAGE_APPEND_PLATFORM|Whether to append a sanitized platform architecture on the IMAGE tag|false|false| ## Results |name|description| diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 97ed4bbf6a..48df111bbd 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -81,6 +81,11 @@ spec: to the build. name: PREFETCH_INPUT type: string + - default: "false" + description: Skip SBOM-related operations. This will likely cause EC policies + to fail if enabled + name: SKIP_SBOM_GENERATION + type: string - default: "true" description: Whether to skip stages in Containerfile that seem unused by subsequent stages @@ -725,6 +730,10 @@ spec: IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json" echo "Running syft on the image filesystem" @@ -780,6 +789,10 @@ spec: IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" python3 /scripts/merge_syft_sboms.py @@ -820,6 +833,10 @@ spec: name: upload-sbom script: | #!/bin/bash + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md index d89a4972bd..5f616e9b42 100644 --- a/task/buildah-remote/0.2/README.md +++ b/task/buildah-remote/0.2/README.md @@ -31,7 +31,10 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| |STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| |SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|LABELS|Additional key=value labels that should be applied to the image|[]|false| +|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false| |PLATFORM|The platform to build on||true| +|IMAGE_APPEND_PLATFORM|Whether to append a sanitized platform architecture on the IMAGE tag|false|false| ## Results |name|description| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 6e7f2ccaf3..d803b69f59 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -119,6 +119,11 @@ spec: description: Additional key=value labels that should be applied to the image name: LABELS type: array + - default: "false" + description: Skip SBOM-related operations. This will likely cause EC policies + to fail if enabled + name: SKIP_SBOM_GENERATION + type: string - description: The platform to build on name: PLATFORM type: string @@ -704,6 +709,10 @@ spec: IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" echo "Running syft on the image filesystem" @@ -759,6 +768,10 @@ spec: IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" export IMAGE fi + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" python3 /scripts/merge_syft_sboms.py @@ -799,6 +812,10 @@ spec: name: upload-sbom script: | #!/bin/bash + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index 6be68eb10e..db1b4a54c9 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -6,49 +6,45 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. ## Parameters -| name | description | default value | required | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | -------- | -| IMAGE | Reference of the image buildah will produce. | | true | -| DOCKERFILE | Path to the Dockerfile to build. | ./Dockerfile | false | -| CONTEXT | Path to the directory to use as context. | . | false | -| TLSVERIFY | Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) | true | false | -| HERMETIC | Determines if build will be executed without network access. | false | false | -| PREFETCH_INPUT | In case it is not empty, the prefetched content should be made available to the build. | "" | false | -| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | "" | false | -| COMMIT_SHA | The image is built from this commit. | "" | false | -| YUM_REPOS_D_SRC | Path in the git repository in which yum repository files are stored | repos.d | false | -| YUM_REPOS_D_FETCHED | Path in source workspace where dynamically-fetched repos are present | fetched.repos.d | false | -| YUM_REPOS_D_TARGET | Target path on the container in which yum repository files should be made available | /etc/yum.repos.d | false | -| TARGET_STAGE | Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage. | "" | false | -| ENTITLEMENT_SECRET | Name of secret which contains the entitlement certificates | etc-pki-entitlement | false | -| ACTIVATION_KEY | Name of secret which contains subscription activation key | activation-key | false | -| ADDITIONAL_SECRET | Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET | does-not-exist | false | -| BUILD_ARGS | Array of --build-arg values ("arg=value" strings) | [] | false | -| BUILD_ARGS_FILE | Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file | "" | false | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | -| ADD_CAPABILITIES | Comma separated list of extra capabilities to add when running 'buildah build' | "" | false | -| SQUASH | Squash all new and previous layers added as a part of this build, as per --squash | false | false | -| STORAGE_DRIVER | Storage driver to configure for buildah | vfs | false | -| SKIP_UNUSED_STAGES | Whether to skip stages in Containerfile that seem unused by subsequent stages | true | false | +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image buildah will produce.||true| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|LABELS|Additional key=value labels that should be applied to the image|[]|false| +|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false| ## Results -| name | description | -| --------------------------- | --------------------------------------------------------------------------------- | -| IMAGE_DIGEST | Digest of the image just built | -| IMAGE_URL | Image repository and tag where the built image was pushed | -| IMAGE_REF | Image reference of the built image | -| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | -| SBOM_JAVA_COMPONENTS_COUNT | The counting of Java components by publisher in JSON format | -| JAVA_COMMUNITY_DEPENDENCIES | The Java dependencies that came from community sources such as Maven central. | +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository and tag where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| ## Workspaces -| name | description | optional | -| ------ | ---------------------------------------------- | -------- | -| source | Workspace containing the source code to build. | false | - - -## Changes in 0.2.1 -- Added image reference to the SBOM output file. -- Re-arranged steps to push image first and then generate and push SBOM file. -- Remove SBOM file stored in the image under `/root/buildinfo/content_manifests/` +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 35af0fde84..a88c6fbf99 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -107,6 +107,10 @@ spec: description: Additional key=value labels that should be applied to the image type: array default: [] + - name: SKIP_SBOM_GENERATION + description: Skip SBOM-related operations. This will likely cause EC policies to fail if enabled + type: string + default: "false" results: - description: Digest of the image just built @@ -566,6 +570,10 @@ spec: memory: 1Gi cpu: 500m script: | + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Running syft on the source directory" syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" echo "Running syft on the image filesystem" @@ -609,6 +617,10 @@ spec: memory: 256Mi cpu: 100m script: | + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" python3 /scripts/merge_syft_sboms.py @@ -643,6 +655,10 @@ spec: image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 script: | #!/bin/bash + if [ "${SKIP_SBOM_GENERATION}" == "true" ]; then + echo "Skipping SBOM generation" + exit 0 + fi ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -658,7 +674,6 @@ spec: sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" - computeResources: limits: memory: 512Mi