Commit c3f1ef4
fix(workflows): decouple SBOM artifact name from internal filename (#1178)
## Description
Fixes the SBOM Dependency Diff failure in the stable and prerelease
release pipelines.
`anchore/sbom-action` uses `artifact-name` as both the GitHub Actions
artifact name **and** the filename inside the artifact. With
`artifact-name: sbom-dependencies`, the file stored inside the artifact
was named `sbom-dependencies` (no extension) instead of
`dependencies.spdx.json`. Downstream jobs (`sbom-diff`,
`attest-and-upload`) download the artifact and look for
`dependencies.spdx.json` — file not found.
**Fix**: Disable `sbom-action`'s built-in upload (`upload-artifact:
false`), add an explicit `actions/upload-artifact` step that uploads the
correctly-named local file `dependencies.spdx.json` as artifact
`sbom-dependencies`. Applied identically to both `release-stable.yml`
and `release-prerelease.yml`.
## Related Issue(s)
Fixes the v3.2.1 release failure in PR #1166, run #85.
## Type of Change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature with breaking side effects)
- [ ] Documentation update
- [x] GitHub Actions workflow
- [ ] Linting or code quality tooling
- [ ] Security hardening
- [ ] DevContainer or environment configuration
- [ ] Dependency update
- [ ] Instructions (`.instructions.md`)
- [ ] Prompt (`.prompt.md`)
- [ ] Agent (`.agent.md`)
- [ ] Skill (`SKILL.md`)
## Testing
- Verified with `actionlint` — no errors in either workflow file.
- Verified with `npm run lint:yaml` — no YAML lint errors.
- Confirmed the fix covers all 11 downstream jobs (10
`attest-and-upload` matrix entries + `sbom-diff`).
## Checklist
### Required Checks
- [x] Documentation is updated (if applicable)
- [x] Naming conventions followed per instructions
- [x] Backwards compatibility considered
- [x] Tests added/updated (if applicable)
### Required Automated Checks
- [x] `npm run lint:md`
- [x] `npm run spell-check`
- [x] `npm run lint:frontmatter`
- [x] `npm run validate:skills`
- [x] `npm run lint:md-links`
- [x] `npm run lint:ps`
- [x] `npm run plugin:generate`
## Security Considerations
- [x] No sensitive data (API keys, tokens, passwords) included
- [x] Dependencies have been reviewed for security vulnerabilities
- [x] Principle of least privilege followed for any permission changes
No new dependencies introduced. Workflow permissions unchanged. The
explicit `upload-artifact` step uses the same SHA-pinned action already
present elsewhere in the pipeline.
## Additional Notes
The per-VSIX SBOM uploads (e.g., `sbom-ado`, `sbom-hve-core-all`) are
unaffected because no downstream job downloads those artifacts by
filename.
Co-authored-by: Bill Berry <wbery@microsoft.com>1 parent 671f798 commit c3f1ef4
2 files changed
Lines changed: 15 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
155 | 155 | | |
156 | 156 | | |
157 | 157 | | |
158 | | - | |
159 | 158 | | |
160 | | - | |
| 159 | + | |
161 | 160 | | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
162 | 168 | | |
163 | 169 | | |
164 | 170 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
406 | 406 | | |
407 | 407 | | |
408 | 408 | | |
409 | | - | |
410 | 409 | | |
411 | | - | |
| 410 | + | |
412 | 411 | | |
413 | 412 | | |
414 | 413 | | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
415 | 420 | | |
416 | 421 | | |
417 | 422 | | |
| |||
0 commit comments