From b21f2f03bcfa1e51f39b52690732017787c4d03f Mon Sep 17 00:00:00 2001
From: Vegar Sechmann Molvig <vegar.sechmann.molvig@nav.no>
Date: Wed, 22 Mar 2023 12:53:06 +0100
Subject: [PATCH] allow specifying sbom

---
 action.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/action.yml b/action.yml
index dc5916f..beefa35 100644
--- a/action.yml
+++ b/action.yml
@@ -9,6 +9,10 @@ inputs:
     description: 'image ref, i.e. "europe-north1-docker.pkg.dev/nais-io/nais/images/canary-deployer@sha256:eac1f85bee008dfe4ca0eadd1f32256946a171b445d129dba8f00cc67d43582b"'
     required: true
 
+  sbom:
+    description: 'existing SBOM in cyclonedx format'
+    default: 'auto-generate-for-me-please.json'
+
 runs:
   using: 'composite'
   steps:
@@ -18,15 +22,16 @@ runs:
         cosign-release: 'v2.0.0'
 
     - name: 'Generate SBOM'
+      if: inputs.sbom == 'auto-generate-for-me-please.json'
       uses: 'aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252' # ratchet:aquasecurity/trivy-action@master
       with:
         scan-type: 'image'
         format: 'cyclonedx'
-        output: 'cyclone.sbom.json'
+        output: 'auto-generate-for-me-please.json'
         image-ref: "${{ inputs.image_ref }}"
 
     - name: 'Sign and attest image'
       shell: 'bash'
       run: |
         cosign sign --yes "${{ inputs.image_ref }}"
-        cosign attest --yes --predicate cyclone.sbom.json --type cyclonedx "${{ inputs.image_ref }}"
+        cosign attest --yes --predicate "${{ inputs.sbom }}" --type cyclonedx "${{ inputs.image_ref }}"