Add sbom generation from collected data and upload artifact

Author: javihernandez

.github/actions/shared-steps/action.yml

@@ -439,7 +439,7 @@ runs:
         echo "IMAGE_NAME=$(basename ${image_file})" >> $GITHUB_ENV
 
         # don't fail if this doesn't exist, we may not always generate it
-        # sudo mv repo-metadata-*.txt $(basename ${image_file}).repo-metadata.txt || true
+        sudo mv sbom-data-*.json $(basename ${image_file}).sbom-data.json || true
 
     #- id: 'google-auth-dev-images'
     #  if: env.IMAGE_TYPE == 'gcp'
@@ -519,9 +519,10 @@ runs:
         . ./.venv-sbom/bin/activate
         mkdir -p sbom
         shopt -s nullglob
-        for f in sbom-data/sbom-data*.json; do
+        for f in *.sbom-data.json; do
+          echo "Generating SBOM document with $f"
           base=$(basename "$f" .json)
-          python3 sbom-tools/sbom_generator.py "${base}" "$f" "${base}.spdx.json" -v
+          python3 sbom-tools/sbom_generator.py "${base}" "$f" "${base}.sbom.spdx.json"
         done
 
     # - name: Setup tmate session
@@ -620,12 +621,21 @@ runs:
 
     - uses: actions/upload-artifact@v4
       name: Store repo metadata as artifact
-      id: repo-meta-artifact
+      id: sbom-data-artifact
       if: inputs.store_as_artifact == 'true'
       with:
         compression-level: 9
-        name: ${{ env.IMAGE_NAME }}.repo-metadata.txt
-        path: ${{ env.IMAGE_FILE }}.repo-metadata.txt
+        name: ${{ env.IMAGE_NAME }}.sbom-data.json
+        path: ${{ env.IMAGE_FILE }}.sbom-data.json
+
+    - uses: actions/upload-artifact@v4
+      name: Store SBOM as artifact
+      id: sbom-artifact
+      if: inputs.store_as_artifact == 'true'
+      with:
+        compression-level: 9
+        name: ${{ env.IMAGE_NAME }}.sbom.spdx.json
+        path: ${{ env.IMAGE_FILE }}.sbom.spdx.json
 
     - uses: actions/upload-artifact@v4
       name: Store checksum as artifact

almalinux_10_gcp.pkr.hcl

@@ -117,10 +117,10 @@ build {
     ]
   }
 
-  # copy the repo metadata file into output
+  # copy SBOM metadata file into output
   post-processor "shell-local" {
     inline = [
-      "cp /tmp/repo-metadata-$PACKER_BUILD_NAME.txt output-$PACKER_BUILD_NAME/"
+      "cp /tmp/sbom-data-$PACKER_BUILD_NAME.json output-$PACKER_BUILD_NAME/"
     ]
   }
 

ansible/roles/sbom_data/tasks/main.yml

@@ -8,9 +8,9 @@
   ansible.builtin.shell: python3 /dev/shm/sbom_data_collector.py -o /dev/shm/sbom-data.json -v
   register: sbom_data_collector
 
-- name: Write repo metadata for SBOMs to artifact file
+- name: Write SBOM data to artifact file
   ansible.builtin.fetch:
     src: /dev/shm/sbom-data.json
-    dest: "{{ playbook_dir }}/../sbom-data/sbom-data-{{ packer_build_name }}.json"
+    dest: "/tmp/sbom-data-{{ packer_build_name }}.json"
     flat: true
   become: false