From c02f207b6c8a6e8c4aa1633d5d09ab22b9c3a9b6 Mon Sep 17 00:00:00 2001
From: syoul <syoul@librezo.fr>
Date: Tue, 24 Mar 2026 12:14:16 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20sbom-generate=20=E2=80=94=20alpine=20+?=
 =?UTF-8?q?=20syft=20pinn=C3=A9=20via=20GitHub=20releases?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

anchore/syft:vX est distroless (pas de /bin/sh), incompatible avec
les commands Woodpecker. Retour sur alpine:3.20 avec téléchargement
direct du tarball v1.42.3 depuis GitHub releases (pas install.sh
qui tire latest).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .woodpecker.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 5675906..832c367 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -48,10 +48,14 @@ steps:
   # Utilise l'image officielle anchore/syft pour eviter le bug d'auto-detection
   # de container (signal Go imprime en adresse memoire sur alpine + curl install)
   - name: sbom-generate
-    image: anchore/syft:v1.42.3
+    image: alpine:3.20
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      SYFT_VERSION: "1.42.3"
     commands:
+      - apk add --no-cache curl tar
+      - curl -sSfL "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | tar xz -C /usr/local/bin syft
       - mkdir -p .reports
       - syft packages docker:g1flux:latest -o cyclonedx-json=.reports/sbom-app.cyclonedx.json
       - echo "SBOM genere"