Skip to content

Commit 3c471a1

Browse files
vpeterssonvpetersson
authored
Merge pull request #15 from sbomify/fix/always-cleanup
Always run SBOM cleanup for docker/chainguard sources
2 parents e598ae2 + c4e84fb commit 3c471a1

2 files changed

Lines changed: 46 additions & 7 deletions

File tree

.github/workflows/sbom-builder.yml

Lines changed: 28 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -113,20 +113,28 @@ jobs:
113113
echo "product_release=[${RELEASE_ARRAY}]" >> $GITHUB_OUTPUT
114114
fi
115115
116-
# Build PURL for TEA dedup lookup
116+
# Build PURLs for TEA dedup and component PURL
117117
SOURCE_TYPE=$(yq -r '.source.type // ""' "$CONFIG")
118118
IMAGE=$(yq -r '.source.image // ""' "$CONFIG")
119119
REGISTRY=$(yq -r '.source.registry // ""' "$CONFIG")
120120
REPO=$(yq -r '.source.repo // ""' "$CONFIG")
121121
case "$SOURCE_TYPE" in
122122
docker)
123-
echo "purl=pkg:docker/${IMAGE}@${VERSION}" >> "$GITHUB_OUTPUT" ;;
123+
echo "purl=pkg:docker/${IMAGE}@${VERSION}" >> "$GITHUB_OUTPUT"
124+
echo "purl_base=pkg:docker/${IMAGE}" >> "$GITHUB_OUTPUT"
125+
;;
124126
chainguard)
125-
echo "purl=pkg:oci/${REGISTRY}/${IMAGE}@${VERSION}" >> "$GITHUB_OUTPUT" ;;
127+
echo "purl=pkg:oci/${REGISTRY}/${IMAGE}@${VERSION}" >> "$GITHUB_OUTPUT"
128+
echo "purl_base=pkg:oci/${REGISTRY}/${IMAGE}" >> "$GITHUB_OUTPUT"
129+
;;
126130
github_release|lockfile)
127-
echo "purl=pkg:github/${REPO}@${VERSION}" >> "$GITHUB_OUTPUT" ;;
131+
echo "purl=pkg:github/${REPO}@${VERSION}" >> "$GITHUB_OUTPUT"
132+
echo "purl_base=pkg:github/${REPO}" >> "$GITHUB_OUTPUT"
133+
;;
128134
*)
129-
echo "purl=" >> "$GITHUB_OUTPUT" ;;
135+
echo "purl=" >> "$GITHUB_OUTPUT"
136+
echo "purl_base=" >> "$GITHUB_OUTPUT"
137+
;;
130138
esac
131139
132140
- name: Cache fetched SBOM
@@ -181,6 +189,8 @@ jobs:
181189
digest=$(cat image-digest.txt)
182190
echo "image_digest=${digest}" >> "$GITHUB_OUTPUT"
183191
echo "image_digest_safe=${digest//:/-}" >> "$GITHUB_OUTPUT"
192+
purl_base="${{ steps.config.outputs.purl_base }}"
193+
echo "component_purl=${purl_base}@${digest}" >> "$GITHUB_OUTPUT"
184194
185195
- name: Upload input artifact
186196
if: always() && hashFiles('sbom.json') != ''
@@ -200,6 +210,8 @@ jobs:
200210
- name: Build SBOM (from existing SBOM)
201211
if: steps.config.outputs.component_id != '' && steps.config.outputs.source_type != 'lockfile'
202212
uses: sbomify/sbomify-action@master
213+
with:
214+
component-purl: ${{ steps.digest.outputs.component_purl || steps.config.outputs.purl }}
203215
env:
204216
TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
205217
COMPONENT_ID: ${{ steps.config.outputs.component_id }}
@@ -214,6 +226,8 @@ jobs:
214226
- name: Build SBOM (from lockfile)
215227
if: steps.config.outputs.component_id != '' && steps.config.outputs.source_type == 'lockfile'
216228
uses: sbomify/sbomify-action@master
229+
with:
230+
component-purl: ${{ steps.config.outputs.purl }}
217231
env:
218232
TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
219233
COMPONENT_ID: ${{ steps.config.outputs.component_id }}
@@ -291,6 +305,8 @@ jobs:
291305
steps.config.outputs.component_id != '' && steps.config.outputs.source_type != 'lockfile'
292306
&& !inputs.dry_run && steps.upload-decision.outputs.should_upload == 'true'
293307
uses: sbomify/sbomify-action@master
308+
with:
309+
component-purl: ${{ steps.digest.outputs.component_purl || steps.config.outputs.purl }}
294310
env:
295311
TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
296312
COMPONENT_ID: ${{ steps.config.outputs.component_id }}
@@ -306,6 +322,8 @@ jobs:
306322
steps.config.outputs.component_id != '' && steps.config.outputs.source_type == 'lockfile'
307323
&& !inputs.dry_run && steps.upload-decision.outputs.should_upload == 'true'
308324
uses: sbomify/sbomify-action@master
325+
with:
326+
component-purl: ${{ steps.config.outputs.purl }}
309327
env:
310328
TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
311329
COMPONENT_ID: ${{ steps.config.outputs.component_id }}
@@ -316,10 +334,9 @@ jobs:
316334
UPLOAD: true
317335
PRODUCT_RELEASE: ${{ steps.config.outputs.product_release }}
318336

319-
- name: Cleanup old SBOMs
337+
- name: Cleanup old SBOMs and releases
320338
if: >-
321339
steps.config.outputs.component_id != '' && !inputs.dry_run
322-
&& steps.upload-decision.outputs.should_upload == 'true'
323340
&& (steps.config.outputs.source_type == 'docker'
324341
|| steps.config.outputs.source_type == 'chainguard')
325342
run: |
@@ -328,6 +345,10 @@ jobs:
328345
sbomify_cleanup_old_sboms \
329346
"${{ steps.config.outputs.component_id }}" \
330347
"${{ steps.digest.outputs.image_digest }}"
348+
if [[ -n "${{ steps.config.outputs.product_id }}" ]]; then
349+
sbomify_cleanup_versioned_releases \
350+
"${{ steps.config.outputs.product_id }}"
351+
fi
331352
env:
332353
SBOMIFY_TOKEN: ${{ secrets.SBOMIFY_TOKEN }}
333354

scripts/lib/sbomify-api.sh

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,3 +40,21 @@ sbomify_cleanup_old_sboms() {
4040
"${SBOMIFY_API}/api/v1/sboms/sbom/${sbom_id}" || true
4141
done
4242
}
43+
44+
# Remove versioned releases from a product (keep only "latest")
45+
# Usage: sbomify_cleanup_versioned_releases <product_id>
46+
sbomify_cleanup_versioned_releases() {
47+
local product_id="$1"
48+
49+
local releases release_ids
50+
releases=$(curl -fsSL -H "Authorization: Bearer ${SBOMIFY_TOKEN}" \
51+
"${SBOMIFY_API}/api/v1/releases?product_id=${product_id}")
52+
release_ids=$(echo "$releases" | jq -r \
53+
'.items[] | select(.is_latest != true) | .id')
54+
55+
for release_id in $release_ids; do
56+
log_info "Removing versioned release ${release_id} from product ${product_id}"
57+
curl -fsSL -X DELETE -H "Authorization: Bearer ${SBOMIFY_TOKEN}" \
58+
"${SBOMIFY_API}/api/v1/releases/${release_id}" || true
59+
done
60+
}

0 commit comments

Comments
 (0)