# Buildx SBOM Demo Workflow

This sample GitHub Actions workflow shows how to run the StellaOps BuildX generator alongside a container build.

## What it does

1. Publishes the `StellaOps.Scanner.Sbomer.BuildXPlugin` with the manifest copied beside the binaries.
2. Calls the plug-in `handshake` command to verify the local CAS directory.
3. Builds a tiny Alpine-based image via `docker buildx`.
4. Generates a CycloneDX SBOM from the built image with `docker sbom`.
5. Emits a descriptor + provenance placeholder referencing the freshly generated SBOM with the `descriptor` command.
6. Sends the placeholder to a mock Attestor endpoint and uploads the descriptor, SBOM, and captured request as artefacts. (Swap the mock step with your real Attestor URL + `STELLAOPS_ATTESTOR_TOKEN` secret when ready.)

## Files

- `github-actions-buildx-demo.yml` – workflow definition (`workflow_dispatch` + `demo/buildx` branch trigger).
- `Dockerfile` – minimal demo image.
- `github-actions-buildx-demo.yml` now captures a real SBOM via `docker sbom`.

## Running locally

```bash
dotnet publish src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/StellaOps.Scanner.Sbomer.BuildXPlugin.csproj -c Release -o out/buildx

dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll handshake \
  --manifest out/buildx \
  --cas out/cas

docker buildx build --load -t stellaops/buildx-demo:ci samples/ci/buildx-demo
DIGEST=$(docker image inspect stellaops/buildx-demo:ci --format '{{index .RepoDigests 0}}')

docker sbom stellaops/buildx-demo:ci --format cyclonedx-json > out/buildx-sbom.cdx.json

dotnet out/buildx/StellaOps.Scanner.Sbomer.BuildXPlugin.dll descriptor \
  --manifest out/buildx \
  --image "$DIGEST" \
  --sbom out/buildx-sbom.cdx.json \
  --sbom-name buildx-sbom.cdx.json \
  > out/buildx-descriptor.json
```

The descriptor JSON contains deterministic annotations and provenance placeholders ready for the Attestor.