From 6b757de2ee05f4bede0512fca1ee3bf112f34527 Mon Sep 17 00:00:00 2001
From: Christian Kotzbauer <git@ckotzbauer.de>
Date: Mon, 3 Oct 2022 18:25:45 +0200
Subject: [PATCH] fix: fix spdx-sbom-handling (#661)

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
---
 .github/workflows/on-main-push.yaml | 4 ++--
 .github/workflows/on-tag.yaml       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/on-main-push.yaml b/.github/workflows/on-main-push.yaml
index 2fbd089..dddcd6d 100644
--- a/.github/workflows/on-main-push.yaml
+++ b/.github/workflows/on-main-push.yaml
@@ -77,7 +77,7 @@ jobs:
 
       - name: Generate SBOM
         run: |
-          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }} -o spdx | jq --compact-output > kured.sbom
+          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }} -o spdx > kured.sbom
 
       - name: Sign and attest artifacts
         run: |
@@ -86,6 +86,6 @@ jobs:
           .tmp/cosign sign-blob --output-signature kured.sbom.sig --output-certificate kured.sbom.pem kured.sbom
 
           .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
-          .tmp/cosign attach sbom --type syft --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+          .tmp/cosign attach sbom --type spdx --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
         env:
           COSIGN_EXPERIMENTAL: 1
diff --git a/.github/workflows/on-tag.yaml b/.github/workflows/on-tag.yaml
index 8b8f87e..8e2f4a1 100644
--- a/.github/workflows/on-tag.yaml
+++ b/.github/workflows/on-tag.yaml
@@ -88,7 +88,7 @@ jobs:
 
       - name: Generate SBOM
         run: |
-          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} -o spdx | jq --compact-output > kured.sbom
+          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} -o spdx > kured.sbom
 
       - name: Sign and attest artifacts
         run: |
@@ -97,6 +97,6 @@ jobs:
           .tmp/cosign sign-blob --output-signature kured.sbom.sig kured.sbom
 
           .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
-          .tmp/cosign attach sbom --type syft --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+          .tmp/cosign attach sbom --type spdx --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
         env:
           COSIGN_EXPERIMENTAL: 1