feat: SBOM

[akafazov]

SBOM

Introduce workflow changes to support new OCM structure and add Software Bill Of Materials to image components.

Changes:

• new job .github/workflows/job-chart-ocm.yml to create chart-only OCM component
• new job .github/workflows/job-image-ocm.yml to create image-only OCM component
• new job job-sbom.yml to create CycloneDX and SPDX SBOM (Software Bill Of Materials) artefacts
• modify .github/workflows/job-ocm.yml to support:
  • new chartOnly mode to build OCM component for a chart
  • keep existing monolithic mode to build component with chart and image (backward compatability during migration)
• modified .github/workflows/pipeline-golang-app.yml and .github/workflows/pipeline-node-app.yml to build new OCM components for the images containing SBOM
• sings OCM components before transfering them ot github OCI repository

Note

Needs OCM_SIGNING_PRIVATE_KEY env variable containing the private key to sign with.
Key pair can be generated with: ocm create rsakeypair acme.priv

refers to #82

[nexus49]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Walkthrough

This pull request introduces OCM (Open Component Model) integration and SBOM generation to the CI/CD pipeline. Three new reusable workflow files are added: job-chart-ocm.yml for Helm chart component creation, job-image-ocm.yml for Docker image component creation, and job-sbom.yml for generating CycloneDX and SPDX software bills of materials. Existing workflows are modified to support dual-path orchestration via new inputs chartOnly and imageComponentName, enabling either chart-only or monolithic builds. The pipeline workflows for Golang and Node.js applications are refactored to include SBOM generation and image OCM processing jobs while removing legacy dockerBuild jobs.

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/job-chart-ocm.yml:
- Around line 25-28: The workflow defines ocmRegistryUrl but the auth block that
writes the .ocmconfig is hard-coded to "ghcr.io/platform-mesh", so pushes to
custom registries fail; update the code that generates the .ocmconfig/auth
config to use the ocmRegistryUrl input variable instead of the literal
"ghcr.io/platform-mesh" (also update any repeated blocks that handle auth
generation around the other related auth sections), ensuring the registry host
used in authentication entries and credential lookups is derived from
ocmRegistryUrl (reference the ocmRegistryUrl input and the logic that emits
.ocmconfig/auth entries).

In @.github/workflows/job-image-ocm.yml:
- Around line 21-24: The generated auth config and any .ocmconfig creation
currently hard-codes "ghcr.io/platform-mesh" instead of using the workflow input
ocmRegistryUrl, causing mismatched registry/authentication; update every place
that writes .ocmconfig or embedding the registry (including the blocks
referenced around the other occurrences) to interpolate the ocmRegistryUrl input
(use the workflow input variable name ocmRegistryUrl) instead of the literal
string, ensuring the echo/printf or template that creates .ocmconfig uses ${ {
inputs.ocmRegistryUrl } } (or the appropriate GitHub Actions variable syntax) so
auth entries match the configured registry.

In @.github/workflows/job-ocm.yml:
- Around line 18-27: The chartOnly input currently prevents populating image
metadata but does not switch the default constructor or stop passing image
variables (so workflows still use .ocm/component-constructor.yaml and image
vars); update the workflow to: when chartOnly is true set the constructor to a
chart-only constructor (e.g., .ocm/chart-only-constructor.yaml or a dedicated
constructor variable) and ensure the archive/trigger steps do not pass
image-related variables (imageComponentName, image tags, etc.) unless chartOnly
is false; apply the same conditional logic wherever the workflow sets image
metadata or the constructor (the other blocks referenced around the image inputs
and archive/trigger steps) so chartOnly is safe by default.

In @.github/workflows/pipeline-golang-app.yml:
- Around line 2-3: The workflow-level permissions only grant "contents: read",
preventing called reusable workflows (like job-image-ocm.yml) from performing
GHCR pushes; update the top-level permissions mapping to include "packages:
write" alongside "contents: read" so the called job can push images to GHCR
(modify the permissions block that currently lists permissions: and contents:
read to add packages: write).

In @.github/workflows/pipeline-node-app.yml:
- Around line 76-85: The imageOcm reusable job (uses:
./.github/workflows/job-image-ocm.yml) requires the caller to grant packages:
write so GHCR publishing works; add an explicit permissions block granting
packages: write — either at the workflow top-level or immediately under the
imageOcm job definition — e.g., add permissions: { packages: write } so the
caller workflow explicitly provides the token scope required by
job-image-ocm.yml.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: platform-mesh/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 50dbe335-ddb6-4646-9af4-0932bccaf9d9

📥 Commits

Reviewing files that changed from the base of the PR and between 233be4f and 9f4f0a7.

📒 Files selected for processing (7)

• .github/workflows/job-chart-ocm.yml
• .github/workflows/job-image-ocm.yml
• .github/workflows/job-ocm.yml
• .github/workflows/job-sbom.yml
• .github/workflows/pipeline-chart.yml
• .github/workflows/pipeline-golang-app.yml
• .github/workflows/pipeline-node-app.yml