workflows: debos: Generate rootfs SBOM with syft

lool · lool · commit 44ea7422d173 · 2025-05-21T18:57:29.000+02:00
Signed-off-by: Loïc Minier &lt;loic.minier@oss.qualcomm.com&gt;
diff --git a/.github/workflows/debos.yml b/.github/workflows/debos.yml
@@ -17,8 +17,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  # image build id; used for SBOM generation; TODO: should be used in image metadata too
+  BUILD_ID: ${{ github.run_id }}-${{ github.run_attempt }}
+
 jobs:
   build-debos:
+    name: Build and upload debos recipes
     outputs:
       url: ${{ steps.upload_artifacts.outputs.url }}
     runs-on: [self-hosted, qcom-u2404, arm64]
@@ -86,7 +91,7 @@ jobs:
           debos -t u_boot_rb1:rb1-boot.img \
                  debos-recipes/qualcomm-linux-debian-flash.yaml
 
-      - name: Stage build artifacts for publishing
+      - name: Stage debos artifacts for publishing
         run: |
           set -ux
           # create a directory for the current run
@@ -112,3 +117,48 @@ jobs:
         id: upload_artifacts
         with:
           path: debos-artifacts
+
+      - name: Unpack rootfs to generate SBOM
+        run: mkdir -v rootfs && tar -C rootfs -xf rootfs.tar.gz
+
+      # Syft is not packaged in Debian; it's available as a binary tarball or
+      # as container image from upstream; it's available on arm64 and x86
+      - name: Install Syft
+        run: |
+          set -ux
+          apt -y install curl
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh
+
+      - name: Generate SBOMs with Syft
+        run: |
+          set -ux
+          # TODO should probably restrict catalogers a bit as the rootfs is
+          # built entirely from deb packages
+          bin/syft --version
+          SYFT_FORMAT_PRETTY=true bin/syft \
+              -o cyclonedx-json=rootfs-sbom.cyclonedx.json \
+              -o spdx-json=rootfs-sbom.spdx.json \
+              -o syft-json=rootfs-sbom.syft.json \
+              -o syft-text=rootfs-sbom.syft.txt \
+              -o syft-table \
+              --parallelism `nproc` \
+              --select-catalogers debian \
+              --source-name qualcomm-linux-debian-rootfs \
+              --source-version "${BUILD_ID}" \
+              -v \
+              scan rootfs
+
+      - name: Stage SBOMs for publishing
+        run: |
+          set -ux
+          gzip rootfs-sbom.*
+          dir="sboms"
+          mkdir -v sboms
+          cp -av rootfs-sbom.*.gz sboms
+
+      - name: Upload SBOMs as private artifacts
+        uses: qualcomm-linux/upload-private-artifact-action@v1
+        id: upload_sbom_artifacts
+        with:
+          path: sboms
+
