Skip to content

Commit 5105296

Browse files
fix(release): publish SBOMs flat so their SHA256SUMS lines verify (#590)
The SBOMs were written to dist/sbom/ and checksummed as sbom/<name>.cdx.json, but they publish as FLAT release assets (<name>.cdx.json), so 'sha256sum -c' could not find them and the .cdx.json lines failed. Emit the SBOMs directly into dist/ and reference them flat in the checksum manifest and the upload list, so every SHA256SUMS line (packages AND SBOMs) resolves against a served asset. The loop still scans only packages + the bare binary, never a .cdx.json.
1 parent 8aa00d7 commit 5105296

1 file changed

Lines changed: 9 additions & 5 deletions

File tree

.github/workflows/release.yml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -133,20 +133,24 @@ jobs:
133133
- name: Generate CycloneDX SBOMs
134134
run: |
135135
export PATH="$HOME/.local/bin:$PATH"
136-
mkdir -p dist/sbom
136+
# Emit SBOMs flat into dist/ (not dist/sbom/). They publish as flat
137+
# release assets, so a sbom/ path prefix in SHA256SUMS would never
138+
# match the served filename and `sha256sum -c` would fail for the
139+
# .cdx.json lines. The loop globs only packages (*.rpm/*.deb) + the
140+
# bare binary, so the new *.cdx.json files are never re-scanned.
137141
# CycloneDX 1.5 schema the emitted SBOMs validate against:
138142
# https://cyclonedx.org/schema/bom-1.5.schema.json
139143
for art in dist/openwatch dist/openwatch-*.rpm dist/openwatch_*.deb dist/kensa-rules-*.rpm dist/kensa-rules_*.deb; do
140144
[ -e "$art" ] || continue
141145
name="$(basename "$art")"
142-
syft scan "file:$art" -o "cyclonedx-json=dist/sbom/${name}.cdx.json"
146+
syft scan "file:$art" -o "cyclonedx-json=dist/${name}.cdx.json"
143147
done
144-
ls -l dist/sbom
148+
ls -l dist/*.cdx.json
145149
146150
- name: Checksums
147151
run: |
148152
cd dist
149-
sha256sum *.rpm *.deb sbom/*.cdx.json > SHA256SUMS
153+
sha256sum *.rpm *.deb *.cdx.json > SHA256SUMS
150154
cat SHA256SUMS
151155
152156
# Detached GPG signature over the checksum manifest — the universal verify
@@ -195,5 +199,5 @@ jobs:
195199
dist/SHA256SUMS
196200
dist/SHA256SUMS.asc
197201
dist/SHA256SUMS.cosign.sig
198-
dist/sbom/*.cdx.json
202+
dist/*.cdx.json
199203
KEYS

0 commit comments

Comments
 (0)