Merge pull request #21 from depot/feat/sbom-dir

feat: add output directory for image SBOMs

Author: goller

README.md

@@ -135,6 +135,7 @@ The following inputs can be used as `step.with` keys and match the inputs from [
 | `pull`             | Bool        | Always attempt to pull all referenced images (default `false`)                                                                                                                                                               |
 | `push`             | Bool        | [Push](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#push) is a shorthand for `--output=type=registry` (default `false`)                                                                       |
 | `sbom`             | Bool/String | Generate [SBOM](https://docs.docker.com/build/attestations/sbom/) attestation for the build (shorthand for `--attest=type=sbom`)                                                                                             |
+| `sbom-dir`         | String      | Save all image [SBOM](https://docs.docker.com/build/attestations/sbom/) to this output directory                                                                                                                             |
 | `secrets`          | List        | List of [secrets](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#secret) to expose to the build (e.g., `key=string`, `GIT_AUTH_TOKEN=mytoken`)                                                  |
 | `secret-files`     | List        | List of [secret files](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#secret) to expose to the build (e.g., `key=filename`, `MY_SECRET=./secret.txt`)                                           |
 | `shm-size`         | String      | Size of [`/dev/shm`](https://github.com/docker/buildx/blob/master/docs/reference/buildx_build.md#-size-of-devshm---shm-size) (e.g., `2g`)                                                                                    |

action.yml

@@ -97,6 +97,9 @@ inputs:
   sbom:
     description: 'Generate SBOM attestation for the build (shorthand for --attest=type=sbom)'
     required: false
+  sbom-dir:
+    description: 'Directory to output SBOMs for each built image'
+    required: false
   secrets:
     description: 'List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)'
     required: false

dist/index.js

@@ -34,6 +34,7 @@ export interface Inputs {
   pull: boolean
   push: boolean
   sbom: string
+  sbomDir: string
   secretFiles: string[]
   secrets: string[]
   shmSize: string
@@ -74,6 +75,7 @@ export function getInputs(): Inputs {
     pull: core.getBooleanInput('pull'),
     push: core.getBooleanInput('push'),
     sbom: core.getInput('sbom'),
+    sbomDir: core.getInput('sbom-dir'),
     secretFiles: core.getMultilineInput('secret-files'),
     secrets: core.getMultilineInput('secrets'),
     shmSize: core.getInput('shm-size'),

src/context.ts

@@ -78,6 +78,7 @@ export async function build(inputs: Inputs) {
     ...flag('--pull', inputs.pull),
     ...flag('--push', inputs.push),
     ...flag('--sbom', inputs.sbom),
+    ...flag('--sbom-dir', inputs.sbomDir),
     ...flag('--shm-size', inputs.shmSize),
     ...flag('--ssh', inputs.ssh),
     ...flag('--tag', inputs.tags),