feat(ISV-5783): use new SBOM generation workflow

jedinym · jedinym · commit df4f05c82573 · 2025-05-19T10:31:15.000+02:00
The pipeline is refactored, so that the SBOM generation tasks are no longer dependent on `push-rpm-data-to-pyxis` and `populate-release-notes`. Signed-off-by: Martin Jediny <jedinym@proton.me>
diff --git a/pipelines/managed/rh-advisories/README.md b/pipelines/managed/rh-advisories/README.md
@@ -28,6 +28,11 @@ the rh-push-to-registry-redhat-io pipeline.
 | trustedArtifactsDebug           | Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable                                             | Yes      | ""                                                        |
 | dataDir                         | The location where data will be stored                                                                                             | Yes      | /var/workdir/release                                      |
 
+## Changes in 2.0.8
+* The `update-component-sbom` and `create-product-sbom` tasks are refactored to
+  use the new SBOM generation workflow. They no longer depend on
+  `push-rpm-data-to-pyxis` and `populate-release-notes`.
+
 ## Changes in 2.0.7
 * Target for SBOM upload has been changed from Atlas v1 to Atlas v2.
 
diff --git a/pipelines/managed/rh-advisories/rh-advisories.yaml b/pipelines/managed/rh-advisories/rh-advisories.yaml
@@ -4,7 +4,7 @@ kind: Pipeline
 metadata:
   name: rh-advisories
   labels:
-    app.kubernetes.io/version: "2.0.7"
+    app.kubernetes.io/version: "2.0.8"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -707,14 +707,12 @@ spec:
         - name: data
           workspace: release-workspace
       params:
-        - name: sbomJsonPath
-          value: "$(tasks.populate-release-notes.results.sbomDataPath)"
-        - name: downloadedSbomPath
-          value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
+        - name: snapshotSpec
+          value: "$(tasks.collect-data.results.snapshotSpec)"
         - name: ociStorage
           value: $(params.ociStorage)
         - name: sourceDataArtifact
-          value: "$(tasks.push-rpm-data-to-pyxis.results.sourceDataArtifact)"
+          value: "$(tasks.apply-mapping.results.sourceDataArtifact)"
         - name: subdirectory
           value: $(tasks.collect-data.results.subdirectory)
         - name: dataDir
@@ -727,17 +725,17 @@ spec:
           value: "$(params.taskGitRevision)"
       runAfter:
         - collect-data
+        - apply-mapping
         - collect-atlas-params
-        - push-rpm-data-to-pyxis
-        - populate-release-notes
+        - push-snapshot
     - name: upload-component-sbom
       when:
         - input: "$(tasks.collect-atlas-params.results.secretName)"
           operator: notin
           values: [""]
       params:
         - name: sbomDir
-          value: "$(tasks.push-rpm-data-to-pyxis.results.sbomPath)"
+          value: "$(tasks.update-component-sbom.results.sbomPath)"
         - name: atlasSecretName
           value: "$(tasks.collect-atlas-params.results.secretName)"
         - name: ssoTokenUrl
@@ -747,7 +745,7 @@ spec:
         - name: ociStorage
           value: $(params.ociStorage)
         - name: sourceDataArtifact
-          value: "$(tasks.apply-mapping.results.sourceDataArtifact)"
+          value: "$(tasks.update-component-sbom.results.sourceDataArtifact)"
         - name: subdirectory
           value: $(tasks.collect-data.results.subdirectory)
         - name: dataDir
@@ -894,7 +892,7 @@ spec:
         - name: ociStorage
           value: $(params.ociStorage)
         - name: sourceDataArtifact
-          value: "$(tasks.populate-release-notes.results.sourceDataArtifact)"
+          value: "$(tasks.apply-mapping.results.sourceDataArtifact)"
         - name: dataDir
           value: $(params.dataDir)
         - name: trustedArtifactsDebug
@@ -916,16 +914,18 @@ spec:
         - name: data
           workspace: release-workspace
       runAfter:
+        - apply-mapping
+        - collect-data
         - collect-atlas-params
-        - populate-release-notes
+        - push-snapshot
     - name: upload-product-sbom
       when:
         - input: "$(tasks.collect-atlas-params.results.secretName)"
           operator: notin
           values: [""]
       params:
         - name: sbomDir
-          value: "$(tasks.create-product-sbom.results.productSBOMPath)"
+          value: "$(tasks.create-product-sbom.results.sbomPath)"
         - name: atlasSecretName
           value: "$(tasks.collect-atlas-params.results.secretName)"
         - name: ssoTokenUrl
diff --git a/tasks/managed/create-product-sbom/create-product-sbom.yaml b/tasks/managed/create-product-sbom/create-product-sbom.yaml
@@ -123,7 +123,7 @@ spec:
           --snapshot-path "$(params.dataDir)/$(params.snapshotSpec)" \
           --output-path "$sbom_path"
 
-        echo -n "$sbom_path" > "$(results.sbomPath.path)"
+        echo -n "$(params.sbomPath)" > "$(results.sbomPath.path)"
     - name: create-trusted-artifact
       ref:
         resolver: "git"
diff --git a/tasks/managed/update-component-sbom/update-component-sbom.yaml b/tasks/managed/update-component-sbom/update-component-sbom.yaml
@@ -123,7 +123,7 @@ spec:
           --snapshot-path "$(params.dataDir)/$(params.snapshotSpec)" \
           --output-path "$sbom_path"
 
-        echo -n "$sbom_path" > "$(results.sbomPath.path)"
+        echo -n "$(params.sbomPath)" > "$(results.sbomPath.path)"
     - name: create-trusted-artifact
       ref:
         resolver: "git"
