Upload sbom artifacts

alexiri · alexiri · commit 9567e4d6287c · 2025-09-20T12:45:58.000+02:00
diff --git a/.github/actions/sbom/action.yml b/.github/actions/sbom/action.yml
@@ -5,11 +5,18 @@ inputs:
   image-ref:
     description: The reference to the image for which the SBOM will be generated
     required: true
+  artifact-name:
+    description: The name to use for the uploaded SBOM artifact (without extension)
+    required: false
+    default: sbom
 
 outputs:
   sbom-path:
     description: The path to the generated SBOM file
     value: ${{ steps.generate-sbom.outputs.OUTPUT_PATH }}
+  artifact-name:
+    description: The name of the uploaded SBOM artifact (with extension)
+    value: ${{ steps.generate-sbom.outputs.ARTIFACT_NAME }}
 
 runs:
   using: "composite"
@@ -35,7 +42,17 @@ runs:
         $SYFT_CMD ${{ inputs.image-ref }} --select-catalogers "rpm,+sbom-cataloger" -o spdx-json=${OUTPUT_PATH}
         echo "OUTPUT_PATH=${OUTPUT_PATH}" >> $GITHUB_OUTPUT
 
-    - name: Add SBOM to release
-      uses: anchore/sbom-action/publish-sbom@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0
+        NAME=${{ inputs.artifact-name }}
+        # Remove consecutive dashes (when there's no variant, for example)
+        NAME=${NAME//--/-}
+        # Set ARTIFACT_NAME for use in artifact upload (replace / with _)
+        echo "ARTIFACT_NAME=${NAME//\//_}.spdx.json" >> "$GITHUB_OUTPUT"
+
+    - name: Upload SBOM to Job Artifacts
+      id: upload-sbom
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
-        sbom-artifact-match: ${{ steps.generate-sbom.outputs.OUTPUT_PATH }}
+        name: ${{ steps.generate-sbom.outputs.ARTIFACT_NAME }}
+        path: ${{ steps.generate-sbom.outputs.OUTPUT_PATH }}
+        if-no-files-found: error
+        compression-level: 9
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -203,6 +203,7 @@ jobs:
         if: ${{ inputs.generate-sbom == true && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.event.pull_request.merged == true) }}
         with:
           image-ref: ${{ steps.build.outputs.image-ref }}@${{ steps.build.outputs.digest }}
+          artifact-name: ${{ inputs.image-name }}-${{ inputs.variant }}-${{ matrix.platform }}
 
       - uses: ./github-actions/.github/actions/sign
         name: Sign image
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -83,3 +83,4 @@ jobs:
           tag_name: ${{ inputs.version }}
           body_path: ./changelog.md
           make_latest: true
+          files: *.spdx.json
