use leeway sbom export and leeway sbom scan

corneliusludmann · corneliusludmann · commit ae4bb2933805 · 2025-05-02T07:16:06.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -308,10 +308,24 @@ jobs:
             )  >> $GITHUB_STEP_SUMMARY
           fi
 
-          LEEWAY_BUILD_DIR=${LEEWAY_BUILD_DIR:-/workspace/.leeway/build}
-          echo "leeway_vulnerability_reports_dir=$LEEWAY_BUILD_DIR/vulnerability-reports/$(ls -Art $LEEWAY_BUILD_DIR/vulnerability-reports/ | tail -n 1)" >> $GITHUB_OUTPUT
+          sboms_dir=$(mktemp -d)
+          leeway -v sbom export --with-dependencies --output-dir "$sboms_dir -Dversion=$VERSION"
+
+          scans_dir=$(mktemp -d)
+          leeway -v sbom scan --with-dependencies --output-dir "$scans_dir -Dversion=$VERSION"
+
+          {
+            echo "leeway_sboms_dir=$sboms_dir"
+            echo "leeway_vulnerability_reports_dir=$scans_dir"
+          } >> $GITHUB_OUTPUT
 
           exit $RESULT
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@v4
+        if: success()
+        with:
+          name: sboms
+          path: ${{ steps.leeway.outputs.leeway_sboms_dir }}
       - name: Upload vulnerability reports
         uses: actions/upload-artifact@v4
         if: success()
