coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 11 additions & 0 deletions b/‎.github/workflows/ci.yaml
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 11 additions & 0 deletions b/‎.github/workflows/release.yaml
Lines changed: 11 additions & 0 deletions
diff --git a/‎dogfood/coder/Dockerfile
Lines changed: 10 additions & 2 deletions b/‎dogfood/coder/Dockerfile
Lines changed: 10 additions & 2 deletions
diff --git a/‎flake.nix
Lines changed: 2 additions & 0 deletions b/‎flake.nix
Lines changed: 2 additions & 0 deletions
diff --git a/‎scripts/build_docker.sh
Lines changed: 14 additions & 3 deletions b/‎scripts/build_docker.sh
Lines changed: 14 additions & 3 deletions
diff --git a/‎scripts/build_docker_multiarch.sh
Lines changed: 5 additions & 16 deletions b/‎scripts/build_docker_multiarch.sh
Lines changed: 5 additions & 16 deletions
@@ -1024,6 +1024,7 @@ jobs:
       # Necessary to push docker images to ghcr.io.
       packages: write
       # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+      # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
       id-token: write
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
@@ -1069,6 +1070,16 @@ jobs:
       - name: Install zstd
         run: sudo apt-get install -y zstd
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        with:
+          cosign-release: "v2.4.3"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        with:
+          syft-version: "v1.20.0"
+
       - name: Setup Windows EV Signing Certificate
         run: |
           set -euo pipefail
 
@@ -122,6 +122,7 @@ jobs:
       # Necessary to push docker images to ghcr.io.
       packages: write
       # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+      # Also necessary for keyless cosign (https://docs.sigstore.dev/cosign/signing/overview/)
       id-token: write
     env:
       # Necessary for Docker manifest
@@ -246,6 +247,16 @@ jobs:
             apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
           rm /tmp/rcodesign.tar.gz
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        with:
+          cosign-release: "v2.4.3"
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        with:
+          syft-version: "v1.20.0"
+
       - name: Setup Apple Developer certificate and API key
         run: |
           set -euo pipefail
 
@@ -278,7 +278,9 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
 	KUBECTX_VERSION=0.9.4 \
 	STRIPE_VERSION=1.14.5 \
 	TERRAGRUNT_VERSION=0.45.11 \
-	TRIVY_VERSION=0.41.0
+	TRIVY_VERSION=0.41.0 \
+	SYFT_VERSION=1.20.0 \
+	COSIGN_VERSION=2.4.3
 
 # cloud_sql_proxy, for connecting to cloudsql instances
 # the upstream go.mod prevents this from being installed with go install
@@ -316,7 +318,13 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
 	chmod a=rx /usr/local/bin/terragrunt && \
 	# AquaSec Trivy for scanning container images for security issues
 	curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- trivy
+	tar --extract --gzip --directory=/usr/local/bin --file=- trivy && \
+	# Anchore Syft for SBOM generation
+	curl --silent --show-error --location "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux-amd64.tar.gz" | \
+	tar --extract --gzip --directory=/usr/local/bin --file=- syft \
+	# Sigstore Cosign for artifact signing and attestation
+	curl --silent --show-error --location --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \
+	chmod a=rx /usr/local/bin/cosign
 
 # We use yq during "make deploy" to manually substitute out fields in
 # our helm values.yaml file. See https://github.com/helm/helm/issues/3141
 
@@ -113,6 +113,7 @@
             bat
             cairo
             curl
+            cosign
             delve
             dive
             drpc.defaultPackage.${system}
@@ -161,6 +162,7 @@
             shellcheck
             (pinnedPkgs.shfmt)
             sqlc
+            syft
             unstablePkgs.terraform
             typos
             which
 
@@ -136,12 +136,10 @@ fi
 
 log "--- Building Docker image for $arch ($image_tag)"
 
-docker buildx build \
+docker build \
 	--platform "$arch" \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
-	--provenance true \
-	--sbom true \
 	--no-cache \
 	--tag "$image_tag" \
 	-f Dockerfile \
@@ -155,4 +153,17 @@ if [[ "$push" == 1 ]]; then
 	docker push "$image_tag" 1>&2
 fi
 
+log "--- Generating SBOM for Docker image ($image_tag)"
+syft "$image_tag" -o spdx-json >"${image_tag}.spdx.json"
+
+if [[ "$push" == 1 ]]; then
+	log "--- Attesting SBOM to Docker image for $arch ($image_tag)"
+	COSIGN_EXPERIMENTAL=1 cosign clean "$image_tag"
+
+	COSIGN_EXPERIMENTAL=1 cosign attest --type spdxjson \
+		--predicate "${image_tag}.spdx.json" \
+		--yes \
+		"$image_tag"
+fi
+
 echo "$image_tag"
@@ -77,24 +77,13 @@ done
 
 # Sadly, manifests don't seem to support labels.
 log "--- Creating multi-arch Docker image ($target)"
-
-# Create a buildx builder instance if it doesn't exist
-if ! docker buildx inspect multiarch-builder &>/dev/null; then
-    docker buildx create --name multiarch-builder --use
-fi
-
-# Create manifest with buildx imagetools
-log "--- Creating multi-arch manifest with attestations"
-
-# For images with attestations, we preserve the entire structure by using image tags directly,
-# letting Docker handle retrieving both the architecture manifests and attestation manifests
-docker buildx imagetools create --tag "$target" "$@"
+docker manifest create \
+	"$target" \
+	"${create_args[@]}"
 
 if [[ "$push" == 1 ]]; then
-    log "--- Verifying multi-arch Docker image ($target)"
-    # The manifest is already created and pushed when using buildx imagetools create
-    # We just need to verify it exists
-    docker buildx imagetools inspect "$target"
+	log "--- Pushing multi-arch Docker image ($target)"
+	docker manifest push "$target"
 fi
 
 echo "$target"