@@ -25,6 +25,9 @@ defaults:
2525
2626env :
2727 FILESERVER_URL : https://quic-yocto-fileserver-1029608027416.us-central1.run.app
28+ # github runs are only unique per repository and may also be re-run; create a
29+ # build id for the current run
30+ BUILD_ID : ${{ github.repository }}-${{ github.run_id }}-${{ github.run_attempt }}
2831
2932# cancel in progress builds for this workflow triggered by the same ref
3033concurrency :
@@ -33,6 +36,7 @@ concurrency:
3336
3437jobs :
3538 build-debos :
39+ name : Build and upload debos recipes
3640 runs-on : [self-hosted, arm64, debbuilder]
3741 container :
3842 image : debian:trixie
@@ -90,17 +94,14 @@ jobs:
9094 # build flashable files
9195 debos -t u_boot_rb1:rb1-boot.img qualcomm-linux-debian-flash.yaml
9296
93- name : Upload artifacts to fileserver
97+ name : Upload artifacts to fileserver space for builds
9498 run : |
9599 set -x
96100 # curl will be used to talk to fileserver; should be installed by
97101 # default
98102 apt -y install curl
99- # github runs are only unique per repository and may also be re-run;
100- # create an unique id with repository, run id, and run attempt
101- id="${GITHUB_REPOSITORY}-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
102103 # create a directory for the current run
103- dir="/fileserver-builds/${id }"
104+ dir="/fileserver-builds/${BUILD_ID }"
104105 mkdir -vp "${dir}"
105106 # copy output files
106107 cp -av rootfs.tar.gz "${dir}"
@@ -117,6 +118,67 @@ jobs:
117118 disk-sdcard.img2 \
118119 flash_rb1*
119120 # instruct fileserver to publish this directory
120- url="${FILESERVER_URL}/${id}/"
121+ url="${FILESERVER_URL}/${BUILD_ID}/"
122+ curl -X POST -H 'Accept: text/event-stream' "${url}"
123+
124+ name : Upload artifacts to fileserver space for downloads
125+ run : |
126+ set -ux
127+ # create a directory for the current run
128+ dir="/fileserver-downloads/${BUILD_ID}"
129+ mkdir -vp "${dir}"
130+ # copy output files
131+ cp -av rootfs.tar.gz "${dir}"
132+
133+ syft :
134+ name : Run syft on rootfs
135+ # nowadays also available on arm64; set x86 for predictability
136+ runs-on : [self-hosted, x86]
137+ needs : build-debos
138+ container :
139+ # this is the upstream maintained image, not sure what criteria it has to
140+ # pass to be considered trusted; also, we assume it's Debian/Ubuntu-based
141+ # and that misc tool such as apt/tar/nproc/curl will be available
142+ image : anchore/syft
143+ volumes :
144+ - /srv/gh-runners/quic-yocto/builds:/fileserver-builds
145+ - /srv/gh-runners/quic-yocto/downloads:/fileserver-downloads
146+ steps :
147+ - name : Get rootfs, generate SBOM with syft and upload to fileserver
148+ run : |
149+ set -ux
150+ # curl will be used to talk to fileserver; should be installed by
151+ # default
152+ apt -y install curl
153+ # retrieve and unpack rootfs
154+ cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz .
155+ mkdir rootfs
156+ tar -C rootfs -xvf rootfs.tar.gz
157+ # run syft
158+ # TODO should probably restrict catalogers a bit as the rootfs is
159+ # built entirely from deb packages
160+ # TODO should set source-version
161+ syft --version
162+ SYFT_FORMAT_JSON_PRETTY=true syft -v \
163+ -o cyclonedx-json=rootfs-sbom.cyclonedx.json \
164+ -o spdx-json=rootfs-sbom.spdx.json \
165+ -o syft-json=rootfs-sbom.syft.json \
166+ -o syft-text=rootfs-sbom.syft.txt \
167+ -o syft-table \
168+ --parallelism `nproc` \
169+ --source-name qualcomm-linux-debian-rootfs \
170+ --source-version "${BUILD_ID}" \
171+ -v \
172+ scan rootfs
173+ # compress
174+ gzip rootfs-sbom*
175+ # copy to fileserver
176+ for dir in
177+ "/fileserver-builds/${BUILD_ID}"
178+ "/fileserver-downloads/${BUILD_ID}"; do
179+ cp -av rootfs-sbom*.gz "${dir}"
180+ done
181+ # instruct fileserver to publish this directory
182+ url="${FILESERVER_URL}/${BUILD_ID}/"
121183 curl -X POST -H 'Accept: text/event-stream' "${url}"
122184
0 commit comments