@@ -148,20 +148,17 @@ jobs:
148148 - /srv/gh-runners/quic-yocto/builds:/fileserver-builds
149149 - /srv/gh-runners/quic-yocto/downloads:/fileserver-downloads
150150 steps :
151- - name : Get rootfs, generate SBOM with syft and upload to fileserver
151+ - name : Retrieve rootfs from fileserver
152+ run : cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz .
153+
154+ - name : Unpack rootfs
155+ run : mkdir -v rootfs && tar -C rootfs -xvf rootfs.tar.gz
156+
157+ - name : Generate SBOMs with Syft
152158 run : |
153159 set -ux
154- # curl will be used to talk to fileserver; should be installed by
155- # default
156- apt -y install curl
157- # retrieve and unpack rootfs
158- cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz .
159- mkdir rootfs
160- tar -C rootfs -xvf rootfs.tar.gz
161- # run syft
162160 # TODO should probably restrict catalogers a bit as the rootfs is
163161 # built entirely from deb packages
164- # TODO should set source-version
165162 syft --version
166163 SYFT_FORMAT_JSON_PRETTY=true syft -v \
167164 -o cyclonedx-json=rootfs-sbom.cyclonedx.json \
@@ -174,14 +171,16 @@ jobs:
174171 --source-version "${BUILD_ID}" \
175172 -v \
176173 scan rootfs
177- # compress
174+ # compress SBOMs
178175 gzip rootfs-sbom*
179- # copy to fileserver
180- for dir in
181- "/fileserver-builds/${BUILD_ID}"
182- "/fileserver-downloads/${BUILD_ID}"; do
183- cp -av rootfs-sbom*.gz "${dir}"
184- done
176+
177+ name : Upload SBOMs to fileserver space for builds
178+ run : |
179+ # curl will be used to talk to fileserver; should be installed by
180+ # default
181+ apt -y install curl
182+ # copy SBOMs to fileserver space for builds
183+ cp -av rootfs-sbom*.gz "/fileserver-builds/${BUILD_ID}"
185184 # instruct fileserver to publish this directory
186185 url="${FILESERVER_URL}/${BUILD_ID}/"
187186 curl -X POST -H 'Accept: text/event-stream' "${url}"
0 commit comments