diff --git a/.github/workflows/build-and-push-container.yml b/.github/workflows/build-and-push-container.yml
index 37a0fad..96ada26 100644
--- a/.github/workflows/build-and-push-container.yml
+++ b/.github/workflows/build-and-push-container.yml
@@ -118,12 +118,10 @@ jobs:
           cargo binstall --no-confirm just
       - name: nix cache
         uses: DeterminateSystems/magic-nix-cache-action@main
-        with:
-          diff-store: true
       - name: confirm sources
         run: ./scripts/confirm-sources.sh
-      - name: build
-        run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} build
+      - name: build + push
+        run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
       - name: Install SBOM generator dependencies
         run: |
           for f in /tmp/dpdk-sys/builds/*; do
@@ -134,32 +132,29 @@ jobs:
           sudo apt-get install --yes --no-install-recommends graphviz
       - name: Generate SBOM
         run: ./scripts/sbom.sh
-      - name: push
-        run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
-      - name: remove links from /tmp/dpdk-sys/builds
-        run: |
-          for f in /tmp/dpdk-sys/builds/*; do
-              [ -h "$f" ] && rm "$f"
-          done
       - name: step summary
         continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
         run: |
           echo "# Outdated packages:" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.outdated.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "# Vuln scan (gnu64):" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.vulns.triage.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "# Runtime SBOM (gnu64):" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.runtime.sbom.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.sbom.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
-
+      - name: remove links from /tmp/dpdk-sys/builds
+        run: |
+          for f in /tmp/dpdk-sys/builds/*; do
+              [ -h "$f" ] && rm "$f"
+          done
       - uses: actions/upload-artifact@v4
         with:
           name: builds-${{ matrix.toolchain.key }}
diff --git a/builds.template.yml b/builds.template.yml
index c6cfbed..7988933 100644
--- a/builds.template.yml
+++ b/builds.template.yml
@@ -31,12 +31,12 @@ matrix:
           - "x86_64-unknown-linux-gnu"
           - "x86_64-unknown-linux-musl"
       just: *just_version
-    - # pinned nightly
-      <<: *default
-      key: "nightly"
-      llvm: *llvm_nightly
-      rust:
-        channel: "nightly"
-        version: *nightly_pin
+    # - # pinned nightly
+    #   <<: *default
+    #   key: "nightly"
+    #   llvm: *llvm_nightly
+    #   rust:
+    #     channel: "nightly"
+    #     version: *nightly_pin
   nixpkgs:
     - *nixpkgs_unstable
diff --git a/builds.yml b/builds.yml
index 7d2d7de..65cb66a 100644
--- a/builds.yml
+++ b/builds.yml
@@ -31,12 +31,12 @@ matrix:
           - "x86_64-unknown-linux-gnu"
           - "x86_64-unknown-linux-musl"
       just: *just_version
-    - # pinned nightly
-      <<: *default
-      key: "nightly"
-      llvm: *llvm_nightly
-      rust:
-        channel: "nightly"
-        version: *nightly_pin
+    # - # pinned nightly
+    #   <<: *default
+    #   key: "nightly"
+    #   llvm: *llvm_nightly
+    #   rust:
+    #     channel: "nightly"
+    #     version: *nightly_pin
   nixpkgs:
     - *nixpkgs_unstable
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
index 9034ccc..1402396 100755
--- a/scripts/sbom.sh
+++ b/scripts/sbom.sh
@@ -10,7 +10,10 @@ declare -r builds="/tmp/dpdk-sys/builds"
 pushd "${builds}"
 declare -r package="env.sysroot"
 
+nix build "${sbomnix}" --out-link /tmp/sbomnix
+
 for libc in "gnu64" "musl64"; do
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#sbomnix" \
     -- \
@@ -20,6 +23,7 @@ for libc in "gnu64" "musl64"; do
     --verbose=1 \
     --include-vulns \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#vulnxscan" \
     -- \
@@ -27,12 +31,14 @@ for libc in "gnu64" "musl64"; do
     --triage \
     --verbose=1 \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#nix_outdated" \
     -- \
     --out "${builds}/${package}.${libc}.outdated.csv" \
     --verbose=1 \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#provenance" \
     -- \
@@ -40,6 +46,7 @@ for libc in "gnu64" "musl64"; do
     --verbose=1 \
     --recursive \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#nixgraph" \
     -- \