workflows: debos: Generate SBOM of rootfs with syft

lool · lool · commit 47229601b308 · 2025-05-21T12:02:54.000+02:00
Signed-off-by: Loïc Minier &lt;loic.minier@oss.qualcomm.com&gt;
diff --git a/.github/workflows/debos.yml b/.github/workflows/debos.yml
@@ -19,6 +19,7 @@ concurrency:
 
 jobs:
   build-debos:
+    name: Build and upload debos recipes
     outputs:
       url: ${{ steps.upload_artifacts.outputs.url }}
     runs-on: [self-hosted, qcom-u2404, arm64]
@@ -86,7 +87,7 @@ jobs:
           debos -t u_boot_rb1:rb1-boot.img \
                  debos-recipes/qualcomm-linux-debian-flash.yaml
 
-      - name: Stage build artifacts for publishing
+      - name: Stage debos artifacts for publishing
         run: |
           set -ux
           # create a directory for the current run
@@ -112,3 +113,71 @@ jobs:
         id: upload_artifacts
         with:
           path: ./uploads
+
+  rootfs-sbom:
+    name: Generate SBOM for rootfs with Syft
+    # nowadays also available on arm64; set x86 for predictability
+    runs-on: [self-hosted, x86]
+    needs: build-debos
+    container:
+      image: debian:trixie
+      volumes:
+        - /efs/qli/metaqcom/gh-runners/quic-yocto/downloads:/fileserver-downloads
+    steps:
+      # make sure we have latest packages first, to get latest fixes and to
+      # avoid an automated update while we're building
+      - name: Update OS packages
+        run: |
+          set -ux
+          apt update
+          apt -y upgrade
+          apt -y full-upgrade
+
+      - name: Retrieve rootfs from fileserver
+        run: cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz .
+
+      - name: Unpack rootfs
+        run: mkdir -v rootfs && tar -C rootfs -xf rootfs.tar.gz
+
+      # Syft is not packaged in Debian; it's available as a binary tarball or
+      # as container image from upstream
+      - name: Install Syft
+        run: |
+          set -ux
+          apt -y install curl
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh
+
+      - name: Generate SBOMs with Syft
+        run: |
+          set -ux
+          # TODO should probably restrict catalogers a bit as the rootfs is
+          # built entirely from deb packages
+          bin/syft --version
+          SYFT_FORMAT_PRETTY=true bin/syft \
+              -o cyclonedx-json=rootfs-sbom.cyclonedx.json \
+              -o spdx-json=rootfs-sbom.spdx.json \
+              -o syft-json=rootfs-sbom.syft.json \
+              -o syft-text=rootfs-sbom.syft.txt \
+              -o syft-table \
+              --parallelism `nproc` \
+              --source-name qualcomm-linux-debian-rootfs \
+              --source-version "${BUILD_ID}" \
+              -v \
+              scan rootfs
+
+      - name: Stage SBOMs for publishing
+        run: |
+          set -ux
+          # compress SBOMs
+          gzip rootfs-sbom*
+          # create a directory for the current run
+          BUILD_DIR="./uploads"
+          mkdir -vp "${BUILD_DIR}"
+          cp -av rootfs-sbom*.gz "${BUILD_DIR}"
+
+      - name: Upload SBOMs as private artifacts
+        uses: qualcomm-linux/upload-private-artifact-action@v1
+        id: upload_artifacts
+        with:
+          path: ./uploads
+
