feat: add SBOM to some extensions

Tailscale is built here, with SBOM generated in its pkg.yaml, and nvidia-lts copies SBOM from pkgs. Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
2025-08-06 06:17:11 +02:00 · 2025-07-15 18:36:21 +02:00 · 2025-07-15 18:36:21 +02:00 · cd4673697a
commit cd4673697a
parent 02136245f0
10 changed files with 27 additions and 17 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -1,8 +1,7 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-06-04T09:48:52Z by kres fc6afbe.
+# Generated on 2025-07-15T16:36:07Z by kres b869533.

-name: default
 concurrency:
  group: ${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -17,6 +16,7 @@ concurrency:
    branches:
      - main
      - release-*
+name: default
 jobs:
  default:
    permissions:
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -1,11 +1,11 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-06-27T18:52:46Z by kres 5128bc1.
+# Generated on 2025-07-15T16:36:07Z by kres b869533.

-name: Lock old issues
 "on":
  schedule:
    - cron: 0 2 * * *
+name: Lock old issues
 permissions:
  issues: write
 jobs:
--- a/.github/workflows/slack-notify.yaml
+++ b/.github/workflows/slack-notify.yaml
@ -1,8 +1,7 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-11-27T11:10:30Z by kres 232fe63.
+# Generated on 2025-07-15T16:36:07Z by kres b869533.

-name: slack-notify
 "on":
  workflow_run:
    workflows:
@ -10,6 +9,7 @@ name: slack-notify
      - weekly
    types:
      - completed
+name: slack-notify
 jobs:
  slack-notify:
    runs-on:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,11 +1,11 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-06-27T18:52:46Z by kres 5128bc1.
+# Generated on 2025-07-15T16:36:07Z by kres b869533.

-name: Close stale issues and PRs
 "on":
  schedule:
    - cron: 30 1 * * *
+name: Close stale issues and PRs
 permissions:
  issues: write
  pull-requests: write
--- a/.github/workflows/weekly.yaml
+++ b/.github/workflows/weekly.yaml
@ -1,14 +1,14 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-06-04T09:48:52Z by kres fc6afbe.
+# Generated on 2025-07-15T16:36:07Z by kres b869533.

-name: weekly
 concurrency:
  group: ${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 "on":
  schedule:
    - cron: 30 1 * * 1
+name: weekly
 jobs:
  reproducibility:
    runs-on:
--- a/.kres.yaml
+++ b/.kres.yaml
@ -83,11 +83,11 @@ spec:
      - name: EXTENSIONS_IMAGE_REF
        defaultValue: $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
      - name: PKGS
-        defaultValue: v1.11.0-alpha.0-44-ga24b40e
+        defaultValue: v1.11.0-alpha.0-50-g853cf3a
      - name: PKGS_PREFIX
        defaultValue: ghcr.io/siderolabs
      - name: TOOLS
-        defaultValue: v1.11.0-alpha.0-6-g4818702
+        defaultValue: v1.11.0-alpha.0-8-g650b916
      - name: TOOLS_PREFIX
        defaultValue: ghcr.io/siderolabs
  useBldrPkgTagResolver: true
--- a/8
+++ b/8
@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-07-10T15:57:51Z by kres 1700045.
+# Generated on 2025-07-15T16:36:07Z by kres b869533.

 # common variables

@ -25,7 +25,7 @@ SOURCE_DATE_EPOCH := $(shell git log $(INITIAL_COMMIT_SHA) --pretty=%ct)

 # sync bldr image with pkgfile

-BLDR_RELEASE := v0.4.1
+BLDR_RELEASE := v0.5.1
 BLDR_IMAGE := ghcr.io/siderolabs/bldr:$(BLDR_RELEASE)
 BLDR := docker run --rm --user $(shell id -u):$(shell id -g) --volume $(PWD):/src --entrypoint=/bldr $(BLDR_IMAGE) --root=/src

@ -50,9 +50,9 @@ COMMON_ARGS += --build-arg=TOOLS_PREFIX="$(TOOLS_PREFIX)"
 # extra variables

 EXTENSIONS_IMAGE_REF ?= $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
-PKGS ?= v1.11.0-alpha.0-44-ga24b40e
+PKGS ?= v1.11.0-alpha.0-50-g853cf3a
 PKGS_PREFIX ?= ghcr.io/siderolabs
-TOOLS ?= v1.11.0-alpha.0-6-g4818702
+TOOLS ?= v1.11.0-alpha.0-8-g650b916
 TOOLS_PREFIX ?= ghcr.io/siderolabs

 # targets defines all the available targets
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-# syntax = ghcr.io/siderolabs/bldr:v0.4.1
+# syntax = ghcr.io/siderolabs/bldr:v0.5.1

 format: v1alpha2

--- a/network/tailscale/pkg.yaml
+++ b/network/tailscale/pkg.yaml
@ -42,6 +42,13 @@ steps:
      - |
        mkdir -p /rootfs/usr/local/etc/containers
        cp /pkg/tailscale.yaml /rootfs/usr/local/etc/containers/
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/tailscale.spdx.json
+      version: {{ .TAILSCALE_VERSION }}
+      cpes:
+        - cpe:2.3:a:tailscale:tailscale:{{ .TAILSCALE_VERSION }}:*:*:*:*:*:*:*
+      licenses:
+        - BSD-3-Clause
    test:
      - |
        mkdir -p /extensions-validator-rootfs
--- a/nvidia-gpu/nonfree/kmod-nvidia/lts/pkg.yaml
+++ b/nvidia-gpu/nonfree/kmod-nvidia/lts/pkg.yaml
@ -18,6 +18,9 @@ steps:
        cp /pkg/files/nvidia.conf /rootfs/usr/local/lib/modprobe.d/nvidia.conf

        cp -R /usr/lib/modules/* /rootfs/usr/lib/modules
+
+        mkdir -p /rootfs/usr/local/share/spdx
+        cp -R /usr/share/spdx/kmod-nvidia-lts.spdx.json /rootfs/usr/local/share/spdx
    test:
      - |
        mkdir -p /extensions-validator-rootfs