Merge pull request #73 from LaurentGoderre/sbom-arch-check

Move arch check from SBOM generation to this script

Author: tianon

doi.jq

@@ -155,14 +155,20 @@ def _sbom_subset:
 # input: "build" object (with "buildId" top level key)
 # output: boolean
 def build_should_sbom:
-	.source.arches[.build.arch].tags
-	| map(split(":")[0])
-	| unique
-	| _sbom_subset as $subset
-	| any(.[];
-		. as $i
-		| $subset
-		| index($i)
+	# see "bashbrew remote arches docker/scout-sbom-indexer:1" (we need the SBOM scanner to be runnable on the host architecture)
+	# bashbrew remote arches --json docker/scout-sbom-indexer:1 | jq '.arches | keys_unsorted' -c
+	(
+		.build.arch as $arch | ["amd64","arm32v5","arm32v7","arm64v8","i386","ppc64le","riscv64","s390x"] | index($arch)
+	) and (
+		.source.arches[.build.arch].tags
+		| map(split(":")[0])
+		| unique
+		| _sbom_subset as $subset
+		| any(.[];
+			. as $i
+			| $subset
+			| index($i)
+		)
 	)
 ;
 

meta.jq

@@ -143,12 +143,7 @@ def build_command:
 					"docker buildx build --progress=plain",
 					"--provenance=mode=max",
 					if build_should_sbom then
-						# see "bashbrew remote arches docker/scout-sbom-indexer:1" (we need the SBOM scanner to be runnable on the host architecture)
-						# bashbrew remote arches --json docker/scout-sbom-indexer:1 | jq '.arches | keys_unsorted' -c
-						if .build.arch as $arch | ["amd64","arm32v5","arm32v7","arm64v8","i386","ppc64le","riscv64","s390x"] | index($arch) then
-							# TODO this needs to be based on the *host* architecture, not the *target* architecture (amd64 vs i386)
-							"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\""
-						else empty end
+						"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\""
 					else empty end,
 					"--output " + (
 						[