.github: trim down release tarballs

troglobit · troglobit · commit 5c08c4852177 · 2025-11-08T12:57:34.000+01:00
Collect only the most relevant info for SBOM. The CycloneDX format seems to be what most tools are standardizing around, and they suggest saving manifest.csv and cpe.json files. This commit includes all *.csv files and drops sources and licenses for release builds, as decided in #1192 Fixes #1217 resolves #1192 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -1,3 +1,6 @@
+# Needed for make pkg-stats
+# sudo apt install python3-aiohttp
+---
 name: Build Release
 
 on:
@@ -75,7 +78,12 @@ jobs:
 
       - name: Generate SBOM from Build
         run: |
+          # Generate manifest files in CSV format for CycloneDX
           make legal-info
+          # Generate cpe.json for CycloneDX
+          make -s show-info > output/cpe.json
+          # Generate pkg-stats.{json,html} for humans
+          make pkg-stats
 
       - name: Build test specification
         run: |
@@ -84,13 +92,18 @@ jobs:
       - name: Prepare Artifacts
         run: |
           cd output/
+
+          # Collect relevant files for SBOM and CPE info. for more info, see:
+          # https://github.com/CycloneDX/cyclonedx-buildroot
+          mkdir               images/sbom
+          mv pkg-stats.*      images/sbom/
+          mv cpe.json         images/sbom/
+          mv legal-info/*.csv images/sbom/
+
           mv images ${{ steps.vars.outputs.dir }}
           ln -s ${{ steps.vars.outputs.dir }} images
           tar cfz ${{ steps.vars.outputs.tgz }} ${{ steps.vars.outputs.dir }}
 
-          mv legal-info legal-info-${{ matrix.target }}-${{ steps.vars.outputs.ver }}
-          tar cfz legal-info-${{ matrix.target }}-${{ steps.vars.outputs.ver }}.tar.gz legal-info-${{ matrix.target }}-${{ steps.vars.outputs.ver }}
-
       - uses: actions/upload-artifact@v4
         with:
           name: artifact-${{ matrix.target }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -117,7 +117,7 @@ jobs:
           prerelease: ${{ steps.rel.outputs.pre }}
           makeLatest: ${{ steps.rel.outputs.latest }}
           discussionCategory: ${{ steps.rel.outputs.cat }}
-          bodyFile:  release.md
+          bodyFile: release.md
           artifacts: "*.tar.gz*,*.qcow2*"
 
       - name: Summary
