Use debian image + https download for syft

Signed-off-by: Loïc Minier <[email protected]>

Author: lool

.github/workflows/debos.yml

@@ -136,10 +136,7 @@ jobs:
     runs-on: [self-hosted, x86]
     needs: build-debos
     container:
-      # this is the upstream maintained image, not sure what criteria it has to
-      # pass to be considered trusted; also, we assume it's Debian/Ubuntu-based
-      # and that misc tool such as apt/tar/nproc/curl will be available
-      image: anchore/syft
+      image: debian:trixie
       volumes:
         - /srv/gh-runners/quic-yocto/builds:/fileserver-builds
         - /srv/gh-runners/quic-yocto/downloads:/fileserver-downloads
@@ -150,6 +147,15 @@ jobs:
       - name: Unpack rootfs
         run: mkdir -v rootfs && tar -C rootfs -xvf rootfs.tar.gz
 
+      # this is the upstream provided script; syft is not packaged in Debian;
+      # it's also available as a container image, but with a similar if not
+      # worse consumption model
+      - name: Install Syft
+        run: |
+          set -ux
+          apt -y install curl
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh
+
       - name: Generate SBOMs with Syft
         run: |
           set -ux