Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: ensure sbom is copied to output-file #411

Merged
merged 1 commit into from
Apr 12, 2023

Conversation

gszr
Copy link
Contributor

@gszr gszr commented Apr 10, 2023

Before this, the sbom file would only be copied to output-file if upload-artifact is true. However, the file may still be useful if upload is not enabled.

@gszr gszr force-pushed the fix/copy-file-before-upload branch from e364f71 to 57fd0d7 Compare April 10, 2023 23:11
@gszr gszr marked this pull request as ready for review April 10, 2023 23:15
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As it stands, this would break artifact upload functionality when output-file is unset.

Additionally, you need to generate the dist/* files (this should have happened automatically if you ran npm install, which would have installed a git hook to do this), but you can manually run this using npm run package.

I think you should revert all changes here except removal of:

const outputFile = core.getInput("output-file");
  if (outputFile) {
    fs.copyFileSync(filePath, outputFile);
  }

and addition of:

const outputFile = core.getInput("output-file");
    if (outputFile) {
        fs.writeFileSync(outputFile, contents);
    }

src/github/SyftGithubAction.ts Outdated Show resolved Hide resolved
Before this, the sbom file would only be copied to
`output-file` if `upload-artifact` is true. However,
the file may still be useful if upload is not enabled.

Signed-off-by: Guilherme Salazar <gsz@acm.org>
@gszr gszr force-pushed the fix/copy-file-before-upload branch from 57fd0d7 to 9d55246 Compare April 11, 2023 13:39
@gszr gszr requested a review from kzantow April 11, 2023 13:39
@kzantow kzantow merged commit 8e2e937 into anchore:main Apr 12, 2023
@gszr
Copy link
Contributor Author

gszr commented Apr 12, 2023

Thanks for reviewing / merging, @kzantow!

@gszr gszr deleted the fix/copy-file-before-upload branch April 12, 2023 15:21
@zosocanuck
Copy link

The ability to specify an output-file seems to be broken:

- name: Create SBOM
        uses: anchore/sbom-action@v0.14.2
        with:
          image: ${{ env.IMAGE }}
          artifact-name: sample-image.spdx
          output-file: ${{ github.workspace }}/sample-image.spdx
          upload-artifact: true

SBOM scan completed in: 4.115s
------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-1zzfZv/sample-image.spdx

@kzantow
Copy link
Contributor

kzantow commented Jun 6, 2023

@zosocanuck there is always a file output to a temp directory. If you add the output-file option, it's copied there. What happens if you add a step to ls, e.g.:

- run: ls -alF '${{ github.workspace }}/sample-image.spdx'

?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants