Add OpenVEX report generation and publishing

[saschagrunert]

Adds OpenVEX report generation to the release pipeline:

• New scripts/vex that runs govulncheck -format openvex against the CRI-O source
• Signs VEX files with cosign in scripts/sign-artifacts
• Uploads to GCS alongside existing artifacts

Companion PR: cri-o/cri-o#9767

Summary by CodeRabbit

• Chores
  • CI now fetches an OpenVEX vulnerability report during releases (best-effort; won’t block publishing).
  • Release pipeline runs the VEX fetch step before publishing artifacts.
  • Artifact signing expanded to optionally include VEX/vulnerability-report files and other additional bundle artifacts.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new best-effort step to fetch a CRI‑O OpenVEX JSON into the build archive, runs it conditionally in the bundles-publish job, and extends artifact signing to cosign any *.openvex.json files produced.

Changes

Cohort / File(s)	Summary
Workflow ​.github/workflows/obs.yml	bundles-publish job needs changed from bundle-test to - vars and - bundle-test; a conditional run: scripts/vex step was added before signing, passing ARCHIVE_PATH, COMMIT, PROJECT_TYPE from needs.vars.outputs.
VEX script scripts/vex	New Bash script that sources shared vars, derives ARCHIVE_ID (uses REVISION when PROJECT_TYPE is stable), ensures archive dir, downloads cri-o.$ARCHIVE_ID.openvex.json via curl_retry, and handles success/failure without failing the job.
Artifact signing scripts/sign-artifacts	Added detection of build/bundle/*.openvex.json and conditional cosign sign-blob invocation to sign VEX files (producing .bundle, .sig, .cert outputs), executed alongside existing tarball/SPDX signing steps.

Sequence Diagram(s)

sequenceDiagram
    participant GH as "GitHub Actions"
    participant Vars as "vars job (outputs)"
    participant VEX as "scripts/vex"
    participant CI as "CRI‑O Artifacts Server"
    participant SIGN as "scripts/sign-artifacts"
    participant STORAGE as "Cloud Storage"

    GH->>Vars: produce outputs (ARCHIVE_PATH, COMMIT, PROJECT_TYPE)
    GH->>VEX: run scripts/vex (conditional)
    VEX->>CI: request OpenVEX for ARCHIVE_ID
    CI-->>VEX: OpenVEX JSON or not-found
    VEX->>GH: write cri-o.$ARCHIVE_ID.openvex.json into ARCHIVE_PATH
    GH->>SIGN: invoke sign-artifacts
    SIGN->>SIGN: locate and cosign tarballs, SPDX, and *.openvex.json
    SIGN->>STORAGE: upload signed artifacts
    STORAGE-->>GH: upload confirmation

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I hopped to fetch a VEX by moonlit code,

Saved it neat in the archive road,
With a nibble I signed each tiny line,
Tucked them safe where builds can shine,
A joyful hop — CI smiles, all fine.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and clearly summarizes the main change: adding OpenVEX report generation and publishing to the release pipeline.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch vex-support

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[saschagrunert]

/release-note-none

[coderabbitai]

🧹 Nitpick comments (1)

scripts/vex (1)

24-27: Verify REVISION is available when PROJECT_TYPE == stable.

When PROJECT_TYPE is stable, the script uses $REVISION (line 26), but REVISION is not explicitly passed in the workflow step's env block (lines 168-173 in obs.yml). It is available as a workflow-level env var (line 28), so this should work — but it's worth noting the implicit dependency for clarity and consistency with the other env vars being explicitly passed.

Consider explicitly passing REVISION in the workflow step env

In .github/workflows/obs.yml, add REVISION to the vex step's env block for consistency:

       - run: scripts/vex
         if: ${{ inputs.skip-bundles == false && github.event_name != 'pull_request' }}
         env:
           ARCHIVE_PATH: ${{ needs.vars.outputs.archive_path }}
           COMMIT: ${{ needs.vars.outputs.commit }}
           GIT_ROOT: ${{ needs.vars.outputs.git_root }}
           PROJECT_TYPE: ${{ needs.vars.outputs.project_type }}
+          REVISION: ${{ inputs.revision || 'main' }}
           VERSION: ${{ needs.vars.outputs.version }}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/obs.yml:
- Around line 162-168: Remove the unnecessary GIT_ROOT environment variable from
the scripts/vex step: update the env block for the step that runs scripts/vex to
only pass ARCHIVE_PATH, COMMIT, and PROJECT_TYPE (remove GIT_ROOT since
scripts/vex does not consume it while scripts/vars is the only consumer that
needs it).

🧹 Nitpick comments (1)

scripts/sign-artifacts (1)

18-23: Glob may fail if no .openvex.json files exist.

This is a pre-existing pattern (same risk on lines 4 and 11), but worth noting: if the glob matches nothing, bash iterates with the literal string, and cosign will error out under set -e. Consider enabling nullglob at the top of the script so all three loops safely become no-ops when there are no matching files.

Suggested fix

 #!/usr/bin/env bash
 set -euo pipefail
+shopt -s nullglob
 
 for TARBALL in build/bundle/*.tar.gz; do

[coderabbitai]

🧹 Nitpick comments (1)

scripts/vex (1)

7-9: Quote variable expansions to prevent word splitting.

$COMMIT and $REVISION should be quoted for robustness, consistent with the quoted usage of $ARCHIVE_PATH on line 13.

Proposed fix

-ARCHIVE_ID=$COMMIT
+ARCHIVE_ID="$COMMIT"
 if [[ $PROJECT_TYPE == stable ]]; then
-    ARCHIVE_ID="$REVISION"
+    ARCHIVE_ID="$REVISION"
 fi

[coderabbitai]

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/obs.yml:
- Around line 162-167: The scripts/vex step placement and gating are
correct—leave the step as-is: keep the step named/using scripts/vex, retain the
if condition (if: ${{ inputs.skip-bundles == false && github.event_name !=
'pull_request' }}), and preserve the env entries (ARCHIVE_PATH, COMMIT,
PROJECT_TYPE) so the vex download runs after bundle artifacts are available and
before sign-artifacts; no changes required.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/sign-artifacts (1)

19-25: Glob expansion into a scalar is fragile if multiple VEX files ever land in the directory.

echo build/bundle/*.openvex.json concatenates all matches into one string. If more than one .openvex.json file is present, $VEX becomes a space-separated list, [[ -e "$VEX" ]] will fail, and cosign sign-blob would receive a bad path. A for loop (matching the existing tarball/SBOM patterns) is more defensive and consistent:

Suggested change

-# Sign VEX file if available (not every release branch publishes one).
-VEX=$(echo build/bundle/*.openvex.json)
-if [[ -e "$VEX" ]]; then
-    cosign sign-blob -y "$VEX" \
-        --bundle "$VEX.bundle" \
-        --output-signature "$VEX.sig" \
-        --output-certificate "$VEX.cert"
-fi
+# Sign VEX files if available (not every release branch publishes one).
+for VEX in build/bundle/*.openvex.json; do
+    [[ -e "$VEX" ]] || continue
+    cosign sign-blob -y "$VEX" \
+        --bundle "$VEX.bundle" \
+        --output-signature "$VEX.sig" \
+        --output-certificate "$VEX.cert"
+done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/sign-artifacts` around lines 19 - 25, The current VEX variable uses
echo on a glob (VEX=$(echo build/bundle/*.openvex.json)) which concatenates
matches into one scalar; replace that with an explicit loop: iterate over
build/bundle/*.openvex.json (for VEX in build/bundle/*.openvex.json; do ...
done), skip non-existing matches with a guard (e.g. [[ -e "$VEX" ]] ||
continue), and run the existing cosign sign-blob -y "$VEX" --bundle
"$VEX.bundle" --output-signature "$VEX.sig" --output-certificate "$VEX.cert" for
each file so multiple .openvex.json files are handled safely and consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/sign-artifacts`:
- Around line 19-25: The current VEX variable uses echo on a glob (VEX=$(echo
build/bundle/*.openvex.json)) which concatenates matches into one scalar;
replace that with an explicit loop: iterate over build/bundle/*.openvex.json
(for VEX in build/bundle/*.openvex.json; do ... done), skip non-existing matches
with a guard (e.g. [[ -e "$VEX" ]] || continue), and run the existing cosign
sign-blob -y "$VEX" --bundle "$VEX.bundle" --output-signature "$VEX.sig"
--output-certificate "$VEX.cert" for each file so multiple .openvex.json files
are handled safely and consistently.

[saschagrunert]

@coderabbitai

We only have one vex file per build.

[saschagrunert]

@cri-o/cri-o-maintainers PTAL

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@saschagrunert, thank you for the clarification! I've noted that there will only be one VEX file per build.

---

✏️ Learnings added

Learnt from: saschagrunert
URL: https://github.com/cri-o/packaging/pull/339

Timestamp: 2026-02-18T12:53:54.070Z
Learning: In the cri-o/packaging repository, there is only one OpenVEX file generated per build, even though the glob pattern `build/bundle/*.openvex.json` is used in scripts/sign-artifacts.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[saschagrunert]

@cri-o/cri-o-maintainers PTAL

[bitoku]

/lgtm