@@ -144,20 +144,17 @@ jobs:
144144 - /srv/gh-runners/quic-yocto/builds:/fileserver-builds
145145 - /srv/gh-runners/quic-yocto/downloads:/fileserver-downloads
146146 steps :
147- - name : Get rootfs, generate SBOM with syft and upload to fileserver
147+ - name : Retrieve rootfs from fileserver
148+ run : cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz .
149+
150+ - name : Unpack rootfs
151+ run : mkdir -v rootfs && tar -C rootfs -xvf rootfs.tar.gz
152+
153+ - name : Generate SBOMs with Syft
148154 run : |
149155 set -ux
150- # curl will be used to talk to fileserver; should be installed by
151- # default
152- apt -y install curl
153- # retrieve and unpack rootfs
154- cp -av /fileserver-downloads/${BUILD_ID}/rootfs.tar.gz .
155- mkdir rootfs
156- tar -C rootfs -xvf rootfs.tar.gz
157- # run syft
158156 # TODO should probably restrict catalogers a bit as the rootfs is
159157 # built entirely from deb packages
160- # TODO should set source-version
161158 syft --version
162159 SYFT_FORMAT_JSON_PRETTY=true syft -v \
163160 -o cyclonedx-json=rootfs-sbom.cyclonedx.json \
@@ -170,14 +167,16 @@ jobs:
170167 --source-version "${BUILD_ID}" \
171168 -v \
172169 scan rootfs
173- # compress
170+ # compress SBOMs
174171 gzip rootfs-sbom*
175- # copy to fileserver
176- for dir in
177- "/fileserver-builds/${BUILD_ID}"
178- "/fileserver-downloads/${BUILD_ID}"; do
179- cp -av rootfs-sbom*.gz "${dir}"
180- done
172+
173+ name : Upload SBOMs to fileserver space for builds
174+ run : |
175+ # curl will be used to talk to fileserver; should be installed by
176+ # default
177+ apt -y install curl
178+ # copy SBOMs to fileserver space for builds
179+ cp -av rootfs-sbom*.gz "/fileserver-builds/${BUILD_ID}"
181180 # instruct fileserver to publish this directory
182181 url="${FILESERVER_URL}/${BUILD_ID}/"
183182 curl -X POST -H 'Accept: text/event-stream' "${url}"
0 commit comments