Skip to content

fix(ci): prevent SBOM artifact name collision in release workflows#6142

Merged
gustavosbarreto merged 1 commit intomasterfrom
fix/sbom-artifact-collision
Apr 8, 2026
Merged

fix(ci): prevent SBOM artifact name collision in release workflows#6142
gustavosbarreto merged 1 commit intomasterfrom
fix/sbom-artifact-collision

Conversation

@gustavosbarreto
Copy link
Copy Markdown
Member

@gustavosbarreto gustavosbarreto commented Apr 8, 2026

What

Replaced artifact-name: "" with upload-artifact: false in
sbom-action steps across both release workflows.

Why

artifact-name: "" does not disable artifact upload — it causes
sbom-action to generate auto-incremented names that collide when
matrix jobs run in parallel, resulting in a 409 Conflict error
that fails the build.

Both workflows already have a dedicated actions/upload-artifact
step with unique per-project names, making the sbom-action upload
redundant.

Changes

  • docker-publish.yml: 3 sbom-action steps updated
  • build-agent.yml: 2 sbom-action steps updated

@gustavosbarreto gustavosbarreto requested a review from a team as a code owner April 8, 2026 19:31
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026
edited
Loading

Claude finished @gustavosbarreto's task in 1m 39s —— View job

Code Review Complete

Reviewed 2 files across code quality, security, testing, language patterns, and architecture — no issues found. The code looks good as-is.

The fix correctly replaces the non-functional artifact-name: "" workaround with upload-artifact: false, which is the documented parameter to disable anchore/sbom-action's built-in artifact upload. All 5 occurrences are consistent, and each is followed by a dedicated actions/upload-artifact step with unique per-project names. The cloud repo's workflows were also checked and don't use sbom-action, so no parallel fix is needed.

To request another review round, comment /review.

@gustavosbarreto gustavosbarreto enabled auto-merge (rebase) April 8, 2026 19:31
@gustavosbarreto
fix(ci): prevent SBOM artifact name collision in releases
8a9b575 
The sbom-action was configured with artifact-name: "" which
does not disable artifact upload but instead generates an
auto-incremented name. When matrix jobs run in parallel,
these names collide causing a 409 Conflict error.

Replace with upload-artifact: false since a dedicated
upload-artifact step with unique per-project names already
handles the upload.
@gustavosbarreto gustavosbarreto force-pushed the fix/sbom-artifact-collision branch from 081fb9c to 8a9b575 Compare April 8, 2026 19:32
@gustavosbarreto gustavosbarreto merged commit c4af4c7 into master Apr 8, 2026
13 checks passed
@gustavosbarreto gustavosbarreto deleted the fix/sbom-artifact-collision branch April 8, 2026 19:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gustavosbarreto