Generate SBOM correctly for different platforms/variants (#2319)

mathbunnyru · web-flow · commit 3b755d1c0c87 · 2025-09-16T22:46:44.000+01:00
diff --git a/.github/actions/apply-single-tags/action.yml b/.github/actions/apply-single-tags/action.yml
@@ -39,6 +39,13 @@ runs:
           --tags-dir /tmp/jupyter/tags/
       shell: bash
 
+    - name: Upload SBOM for the image 🧾
+      uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
+      with:
+        image: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ inputs.image }}
+        artifact-name: ${{ inputs.image }}-${{ inputs.platform }}-${{ inputs.variant }}-sbom.spdx.json
+        upload-artifact-retention: 40
+
     # This step is needed to prevent pushing non-multi-arch "latest" tag
     - name: Remove the "latest" tag from the image 🗑️
       run: docker image rmi ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ inputs.image }}:latest
diff --git a/.github/workflows/docker-tag-push.yml b/.github/workflows/docker-tag-push.yml
@@ -75,19 +75,6 @@ jobs:
         shell: bash
         id: login
 
-      - name: Generate SBOM for the image 🧾
-        uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ inputs.image }}
-          output-file: /tmp/sbom.txt
-
-      - name: Upload SBOM 💾
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ inputs.image }}-sbom
-          path: /tmp/sbom.txt
-          retention-days: 40
-
       - name: Push single platform images to Registry 📤
         if: env.PUSH_TO_REGISTRY == 'true'
         run: |
