fix(ci): trim SBOM to fit under 16MB attestation limit#809
Merged
Conversation
… attestations Replace Cosign keyless signing with GitHub's actions/attest-build-provenance and actions/attest-sbom actions, eliminating external Sigstore/Rekor dependencies. Re-enable SBOM attestation (previously disabled due to Rekor rejecting payloads). Add build provenance attestation for release binary assets. - Replace cosign sign with actions/attest-build-provenance for all images - Replace cosign attest with actions/attest-sbom for SBOM attestation - Add binary release asset attestation (tar.gz and SHA256SUMS) - Delete sign-image.sh, sign-binary.sh, sign-image.yml - Remove attest_sbom_with_retry and attest_sbom_to_multiarch from sbom-scan.sh - Rewrite verify-image.sh to use gh attestation verify - Support both GHCR orgs (midnight-ntwrk and midnightntwrk) JIRA: SRE-1910
The --format '{{.Manifest.Digest}}' template only works for manifest
lists, not single-arch v2 manifests. Replace with --raw | sha256sum
which computes the correct content-addressable digest for any manifest
type.
Replace cosign verify-blob with gh attestation verify. Add test job to test-attestation.yml to validate the script against an attested test binary.
…testations Replace all cosign/Sigstore references with GitHub native attestation commands (gh attestation verify). Remove .sig/.pem file references, Rekor/Fulcio architecture descriptions, and Sigstore outage procedures. Remove test-attestation.yml (validated, no longer needed).
Resolves GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal in rollup 4.0.0-4.58.0).
Syft v1.20.0+ enables a file cataloger by default that lists every file in the container, bloating the SBOM from ~1.4MB to ~24MB. This exceeds the 16MB hard limit in actions/attest-sbom, causing "predicate file exceeds maximum allowed size" errors. Adding --select-catalogers '-file' to exclude file metadata that isn't needed for vulnerability scanning. Includes a temporary test workflow to validate the fix against the same midnight-node image that failed.
The midnight-node image produces a 19MB+ SBOM even without file cataloger entries, exceeding the actions/attest-sbom 16MB hard limit. Strip SPDX relationships before attesting while preserving the full SBOM as a build artifact.
…e-attestations # Conflicts: # .github/workflows/sbom-scan-image.yml
Contributor
|
KICS version: v2.1.16
|
jbm099
approved these changes
Feb 27, 2026
gilescope
approved these changes
Feb 27, 2026
m2ux
added a commit
that referenced
this pull request
Feb 27, 2026
Resolve merge conflict with #809 (trim SBOM for 16MB limit). Keep Cosign-based attestation from this PR, add trim_sbom_for_attestation step before cosign attest, and attest the trimmed SBOM. Full SBOM is still uploaded as a build artifact. Made-with: Cursor
14 tasks
12 tasks
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
Signed-off-by: Mike Clay <mike.clay@shielded.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
The midnight-node image produces a ~19MB SBOM (1,990 packages), exceeding the hard-coded 16MB limit in
actions/attest-sbom. This causes SBOM attestation to fail withpredicate file exceeds maximum allowed size: 16777216 bytes.Fix: trim the SBOM before attesting, keep the full version as artifact.
Two optimizations applied to
generate_sbom_with_retryand a newtrim_sbom_for_attestationfunction:--select-catalogers '-file') — removes per-file entries, reduces SBOM from ~22MB to ~19MBjq -c 'del(.relationships)') — removes inter-package dependency edges and whitespace, reduces from ~19MB to ~12.3MB (4.5MB headroom)The full unmodified SBOM is still uploaded as a build artifact for detailed analysis. The attested SBOM retains all 1,990 packages with names, versions, licenses, checksums, and SPDX IDs.
🗹 TODO before merging
📌 Submission Checklist
🧪 Testing Evidence
Please describe any additional testing aside from CI:
🔱 Fork Strategy
Links