Skip to content

Always run SBOM cleanup for docker/chainguard sources#15

Merged
vpetersson merged 1 commit intomasterfrom
fix/always-cleanup
Mar 7, 2026
Merged

Always run SBOM cleanup for docker/chainguard sources#15
vpetersson merged 1 commit intomasterfrom
fix/always-cleanup

Conversation

@vpetersson
Copy link
Contributor

@vpetersson vpetersson commented Mar 7, 2026

Summary

  • Cleanup step was gated on should_upload == 'true', so when dedup correctly skipped upload, old tag-versioned SBOMs (e.g. 9.14.1) were never removed
  • Now runs cleanup on every non-dry-run for docker/chainguard sources

Test plan

  • Verify old tag-versioned SBOMs (like Haskell's 9.14.1) get deleted on next sync
  • Verify current digest-versioned SBOMs are preserved

🤖 Generated with Claude Code

@vpetersson vpetersson force-pushed the fix/always-cleanup branch 3 times, most recently from 336df46 to d267cd7 Compare March 7, 2026 17:33
@vpetersson @claude
Always run cleanup and pass component PURL to sbomify-action
c4e84fb 
- Cleanup step runs on every sync (not just after upload) so stale
  tag-versioned SBOMs get removed even when dedup skips upload
- Adds sbomify_cleanup_versioned_releases to remove empty versioned
  releases left as side effects of PRODUCT_RELEASE
- Pass COMPONENT_PURL to sbomify-action via new component-purl input
  (sbomify/sbomify-action#191) for all build and upload steps
- Docker/chainguard PURLs use digest as version; lockfile/github_release
  use tag version

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson vpetersson force-pushed the fix/always-cleanup branch from d267cd7 to c4e84fb Compare March 7, 2026 17:45
@vpetersson vpetersson merged commit 3c471a1 into master Mar 7, 2026
61 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vpetersson