fix: sbom-generate — alpine + syft pinné via GitHub releases
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/push/woodpecker Pipeline failed
anchore/syft:vX est distroless (pas de /bin/sh), incompatible avec les commands Woodpecker. Retour sur alpine:3.20 avec téléchargement direct du tarball v1.42.3 depuis GitHub releases (pas install.sh qui tire latest). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
syoul
+5
-1
@@ -48,10 +48,14 @@ steps:
|
||||
# Utilise l'image officielle anchore/syft pour eviter le bug d'auto-detection
|
||||
# de container (signal Go imprime en adresse memoire sur alpine + curl install)
|
||||
- name: sbom-generate
|
||||
image: anchore/syft:v1.42.3
|
||||
image: alpine:3.20
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
environment:
|
||||
SYFT_VERSION: "1.42.3"
|
||||
commands:
|
||||
- apk add --no-cache curl tar
|
||||
- curl -sSfL "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | tar xz -C /usr/local/bin syft
|
||||
- mkdir -p .reports
|
||||
- syft packages docker:g1flux:latest -o cyclonedx-json=.reports/sbom-app.cyclonedx.json
|
||||
- echo "SBOM genere"
|
||||
|
||||
Reference in New Issue
Block a user