From d2a30596c96216663f191ee3c2ed91876c9aaf5b Mon Sep 17 00:00:00 2001
From: Daniel Noland <daniel@githedgehog.com>
Date: Mon, 4 Nov 2024 18:02:50 -0700
Subject: [PATCH 1/3] clean up sbom

---
 .../workflows/build-and-push-container.yml    | 23 ++++++++-----------
 scripts/sbom.sh                               |  4 +++-
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build-and-push-container.yml b/.github/workflows/build-and-push-container.yml
index 37a0fad..87aa4f6 100644
--- a/.github/workflows/build-and-push-container.yml
+++ b/.github/workflows/build-and-push-container.yml
@@ -122,8 +122,8 @@ jobs:
           diff-store: true
       - name: confirm sources
         run: ./scripts/confirm-sources.sh
-      - name: build
-        run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} build
+      - name: build + push
+        run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
       - name: Install SBOM generator dependencies
         run: |
           for f in /tmp/dpdk-sys/builds/*; do
@@ -134,32 +134,29 @@ jobs:
           sudo apt-get install --yes --no-install-recommends graphviz
       - name: Generate SBOM
         run: ./scripts/sbom.sh
-      - name: push
-        run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
-      - name: remove links from /tmp/dpdk-sys/builds
-        run: |
-          for f in /tmp/dpdk-sys/builds/*; do
-              [ -h "$f" ] && rm "$f"
-          done
       - name: step summary
         continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
         run: |
           echo "# Outdated packages:" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.outdated.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "# Vuln scan (gnu64):" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.vulns.triage.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "# Runtime SBOM (gnu64):" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.runtime.sbom.md >> $GITHUB_STEP_SUMMARY
+          cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.sbom.md >> $GITHUB_STEP_SUMMARY
           
           echo "" >> "$GITHUB_STEP_SUMMARY"
-
+      - name: remove links from /tmp/dpdk-sys/builds
+        run: |
+          for f in /tmp/dpdk-sys/builds/*; do
+              [ -h "$f" ] && rm "$f"
+          done
       - uses: actions/upload-artifact@v4
         with:
           name: builds-${{ matrix.toolchain.key }}
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
index 9034ccc..a07b68e 100755
--- a/scripts/sbom.sh
+++ b/scripts/sbom.sh
@@ -4,12 +4,14 @@ set -euxo pipefail
 
 declare -r sbomnix="github:tiiuae/sbomnix"
 
-just build-sysroot
+#just build-sysroot
 
 declare -r builds="/tmp/dpdk-sys/builds"
 pushd "${builds}"
 declare -r package="env.sysroot"
 
+nix build "${sbomnix}" --out-link /tmp/sbomnix
+
 for libc in "gnu64" "musl64"; do
   nix run \
     "${sbomnix}#sbomnix" \

From ef03b448c2acf0254bb1572cc20eb363f3ca2375 Mon Sep 17 00:00:00 2001
From: Daniel Noland <daniel@githedgehog.com>
Date: Mon, 4 Nov 2024 19:10:47 -0700
Subject: [PATCH 2/3] temp drop nightly

---
 builds.template.yml | 14 +++++++-------
 builds.yml          | 14 +++++++-------
 scripts/sbom.sh     |  7 ++++++-
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/builds.template.yml b/builds.template.yml
index c6cfbed..7988933 100644
--- a/builds.template.yml
+++ b/builds.template.yml
@@ -31,12 +31,12 @@ matrix:
           - "x86_64-unknown-linux-gnu"
           - "x86_64-unknown-linux-musl"
       just: *just_version
-    - # pinned nightly
-      <<: *default
-      key: "nightly"
-      llvm: *llvm_nightly
-      rust:
-        channel: "nightly"
-        version: *nightly_pin
+    # - # pinned nightly
+    #   <<: *default
+    #   key: "nightly"
+    #   llvm: *llvm_nightly
+    #   rust:
+    #     channel: "nightly"
+    #     version: *nightly_pin
   nixpkgs:
     - *nixpkgs_unstable
diff --git a/builds.yml b/builds.yml
index 7d2d7de..65cb66a 100644
--- a/builds.yml
+++ b/builds.yml
@@ -31,12 +31,12 @@ matrix:
           - "x86_64-unknown-linux-gnu"
           - "x86_64-unknown-linux-musl"
       just: *just_version
-    - # pinned nightly
-      <<: *default
-      key: "nightly"
-      llvm: *llvm_nightly
-      rust:
-        channel: "nightly"
-        version: *nightly_pin
+    # - # pinned nightly
+    #   <<: *default
+    #   key: "nightly"
+    #   llvm: *llvm_nightly
+    #   rust:
+    #     channel: "nightly"
+    #     version: *nightly_pin
   nixpkgs:
     - *nixpkgs_unstable
diff --git a/scripts/sbom.sh b/scripts/sbom.sh
index a07b68e..1402396 100755
--- a/scripts/sbom.sh
+++ b/scripts/sbom.sh
@@ -4,7 +4,7 @@ set -euxo pipefail
 
 declare -r sbomnix="github:tiiuae/sbomnix"
 
-#just build-sysroot
+just build-sysroot
 
 declare -r builds="/tmp/dpdk-sys/builds"
 pushd "${builds}"
@@ -13,6 +13,7 @@ declare -r package="env.sysroot"
 nix build "${sbomnix}" --out-link /tmp/sbomnix
 
 for libc in "gnu64" "musl64"; do
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#sbomnix" \
     -- \
@@ -22,6 +23,7 @@ for libc in "gnu64" "musl64"; do
     --verbose=1 \
     --include-vulns \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#vulnxscan" \
     -- \
@@ -29,12 +31,14 @@ for libc in "gnu64" "musl64"; do
     --triage \
     --verbose=1 \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#nix_outdated" \
     -- \
     --out "${builds}/${package}.${libc}.outdated.csv" \
     --verbose=1 \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#provenance" \
     -- \
@@ -42,6 +46,7 @@ for libc in "gnu64" "musl64"; do
     --verbose=1 \
     --recursive \
     "${builds}/${package}.${libc}.release" &
+  cd "$(mktemp -d)"
   nix run \
     "${sbomnix}#nixgraph" \
     -- \

From b6ae8b7ad5afb08493196c2a0a44573ba4edde29 Mon Sep 17 00:00:00 2001
From: Daniel Noland <daniel@githedgehog.com>
Date: Mon, 4 Nov 2024 20:24:26 -0700
Subject: [PATCH 3/3] no more diff-store

---
 .github/workflows/build-and-push-container.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build-and-push-container.yml b/.github/workflows/build-and-push-container.yml
index 87aa4f6..96ada26 100644
--- a/.github/workflows/build-and-push-container.yml
+++ b/.github/workflows/build-and-push-container.yml
@@ -118,8 +118,6 @@ jobs:
           cargo binstall --no-confirm just
       - name: nix cache
         uses: DeterminateSystems/magic-nix-cache-action@main
-        with:
-          diff-store: true
       - name: confirm sources
         run: ./scripts/confirm-sources.sh
       - name: build + push