From 4ba5bef9446f3a199466bd2941a23e2fd559f8bd Mon Sep 17 00:00:00 2001
From: Thomas Roos <throos@amazon.de>
Date: Mon, 11 Aug 2025 16:50:21 +0000
Subject: [PATCH 1/4] Add SBOM generation for specific raspberrypi-64
 greengrass demo images

Generate SPDX SBOM files only for:
- raspberrypi-64 + aws-iot-greengrass-demo-image
- raspberrypi-64 + aws-iot-greengrass-lite-demo-image
when upload-zip is enabled
---
 .github/workflows/build-gg-lite.yml | 10 ++++++++++
 .github/workflows/build-gg.yml      | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/.github/workflows/build-gg-lite.yml b/.github/workflows/build-gg-lite.yml
index fa7467b5..ddf0e5f1 100644
--- a/.github/workflows/build-gg-lite.yml
+++ b/.github/workflows/build-gg-lite.yml
@@ -126,6 +126,16 @@ jobs:
              echo -e "# LIST OF PACKAGES WITH THEIR LICENSE AND VERSION\n#" >> ${{ github.workspace }}/zipfile/readme.txt
              echo -e "###############################################################################\n" >> ${{ github.workspace }}/zipfile/readme.txt
              cat ${{ github.workspace }}/build/tmp/deploy/licenses/raspberrypi_armv8/${{ matrix.image }}-raspberrypi-armv8.rootfs/license.manifest >> ${{ github.workspace }}/zipfile/readme.txt
+      - name: Generate SBOM
+        if: ${{ startsWith(matrix.device, 'raspberrypi-64') && startsWith(matrix.image, 'aws-iot-greengrass-lite-demo-image') && inputs.upload-zip }}
+        shell: bash
+        run: |
+          sudo -u yoctouser bash -c '\
+            . init-build-env && \
+            export DEVICE=${{ matrix.device }} && \
+            export IMAGE=${{ matrix.image }} && \
+            bitbake $IMAGE -c create_spdx'
+          cp ${{ github.workspace }}/build/tmp/deploy/spdx/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash
diff --git a/.github/workflows/build-gg.yml b/.github/workflows/build-gg.yml
index d2e99a37..fabb9e88 100644
--- a/.github/workflows/build-gg.yml
+++ b/.github/workflows/build-gg.yml
@@ -108,6 +108,16 @@ jobs:
              echo -e "# LIST OF PACKAGES WITH THEIR LICENSE AND VERSION\n#" >> ${{ github.workspace }}/zipfile/readme.txt
              echo -e "###############################################################################\n" >> ${{ github.workspace }}/zipfile/readme.txt
              cat ${{ github.workspace }}/build/tmp/deploy/licenses/raspberrypi_armv8/${{ matrix.image }}-raspberrypi-armv8.rootfs/license.manifest >> ${{ github.workspace }}/zipfile/readme.txt
+      - name: Generate SBOM
+        if: ${{ startsWith(matrix.device, 'raspberrypi-64') && startsWith(matrix.image, 'aws-iot-greengrass-demo-image') && inputs.upload-zip }}
+        shell: bash
+        run: |
+          sudo -u yoctouser bash -c '\
+            . init-build-env && \
+            export DEVICE=${{ matrix.device }} && \
+            export IMAGE=${{ matrix.image }} && \
+            bitbake $IMAGE -c create_spdx'
+          cp ${{ github.workspace }}/build/tmp/deploy/spdx/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash

From 3356a96b2c37612c6c379513dfff9804746b1d0e Mon Sep 17 00:00:00 2001
From: Thomas Roos <throos@amazon.de>
Date: Mon, 11 Aug 2025 17:12:10 +0000
Subject: [PATCH 2/4] Fix SPDX file path in SBOM generation

Use find command to locate SPDX files instead of hardcoded paths
to handle different directory structures
---
 .github/workflows/build-gg-lite.yml | 2 +-
 .github/workflows/build-gg.yml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-gg-lite.yml b/.github/workflows/build-gg-lite.yml
index ddf0e5f1..ef550b04 100644
--- a/.github/workflows/build-gg-lite.yml
+++ b/.github/workflows/build-gg-lite.yml
@@ -135,7 +135,7 @@ jobs:
             export DEVICE=${{ matrix.device }} && \
             export IMAGE=${{ matrix.image }} && \
             bitbake $IMAGE -c create_spdx'
-          cp ${{ github.workspace }}/build/tmp/deploy/spdx/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
+          find ${{ github.workspace }}/build/tmp/deploy/spdx -name "*${{ matrix.image }}*.spdx.json" -exec cp {} ${{ github.workspace }}/zipfile/ \;
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash
diff --git a/.github/workflows/build-gg.yml b/.github/workflows/build-gg.yml
index fabb9e88..c25abcda 100644
--- a/.github/workflows/build-gg.yml
+++ b/.github/workflows/build-gg.yml
@@ -117,7 +117,7 @@ jobs:
             export DEVICE=${{ matrix.device }} && \
             export IMAGE=${{ matrix.image }} && \
             bitbake $IMAGE -c create_spdx'
-          cp ${{ github.workspace }}/build/tmp/deploy/spdx/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
+          find ${{ github.workspace }}/build/tmp/deploy/spdx -name "*${{ matrix.image }}*.spdx.json" -exec cp {} ${{ github.workspace }}/zipfile/ \;
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash

From c7b74b12ea028f6f29cb6ad8a1a39bdb456fb8ec Mon Sep 17 00:00:00 2001
From: Thomas Roos <throos@amazon.de>
Date: Mon, 11 Aug 2025 17:13:27 +0000
Subject: [PATCH 3/4] Use correct SPDX file path structure

Path should be: tmp/deploy/spdx/IMAGE/MACHINE/IMAGE-MACHINE.spdx.json
---
 .github/workflows/build-gg-lite.yml | 2 +-
 .github/workflows/build-gg.yml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-gg-lite.yml b/.github/workflows/build-gg-lite.yml
index ef550b04..0ec31f15 100644
--- a/.github/workflows/build-gg-lite.yml
+++ b/.github/workflows/build-gg-lite.yml
@@ -135,7 +135,7 @@ jobs:
             export DEVICE=${{ matrix.device }} && \
             export IMAGE=${{ matrix.image }} && \
             bitbake $IMAGE -c create_spdx'
-          find ${{ github.workspace }}/build/tmp/deploy/spdx -name "*${{ matrix.image }}*.spdx.json" -exec cp {} ${{ github.workspace }}/zipfile/ \;
+          cp ${{ github.workspace }}/build/tmp/deploy/spdx/${{ matrix.image }}/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash
diff --git a/.github/workflows/build-gg.yml b/.github/workflows/build-gg.yml
index c25abcda..33b8ed4c 100644
--- a/.github/workflows/build-gg.yml
+++ b/.github/workflows/build-gg.yml
@@ -117,7 +117,7 @@ jobs:
             export DEVICE=${{ matrix.device }} && \
             export IMAGE=${{ matrix.image }} && \
             bitbake $IMAGE -c create_spdx'
-          find ${{ github.workspace }}/build/tmp/deploy/spdx -name "*${{ matrix.image }}*.spdx.json" -exec cp {} ${{ github.workspace }}/zipfile/ \;
+          cp ${{ github.workspace }}/build/tmp/deploy/spdx/${{ matrix.image }}/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash

From f24bd088fe4a48f424b8bae8d386e340685718d2 Mon Sep 17 00:00:00 2001
From: Thomas Roos <throos@amazon.de>
Date: Mon, 11 Aug 2025 19:28:47 +0000
Subject: [PATCH 4/4] fix

---
 .github/workflows/build-gg-lite.yml | 2 +-
 .github/workflows/build-gg.yml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-gg-lite.yml b/.github/workflows/build-gg-lite.yml
index 0ec31f15..4eca69cf 100644
--- a/.github/workflows/build-gg-lite.yml
+++ b/.github/workflows/build-gg-lite.yml
@@ -135,7 +135,7 @@ jobs:
             export DEVICE=${{ matrix.device }} && \
             export IMAGE=${{ matrix.image }} && \
             bitbake $IMAGE -c create_spdx'
-          cp ${{ github.workspace }}/build/tmp/deploy/spdx/${{ matrix.image }}/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
+          cp ${{ github.workspace }}/build/tmp/deploy/spdx/raspberrypi_armv8/recipes/recipe-aws-iot-greengrass-lite-demo-image.spdx.json  ${{ github.workspace }}/zipfile/
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash
diff --git a/.github/workflows/build-gg.yml b/.github/workflows/build-gg.yml
index 33b8ed4c..3dad6339 100644
--- a/.github/workflows/build-gg.yml
+++ b/.github/workflows/build-gg.yml
@@ -117,7 +117,7 @@ jobs:
             export DEVICE=${{ matrix.device }} && \
             export IMAGE=${{ matrix.image }} && \
             bitbake $IMAGE -c create_spdx'
-          cp ${{ github.workspace }}/build/tmp/deploy/spdx/${{ matrix.image }}/raspberrypi-armv8/${{ matrix.image }}-raspberrypi-armv8.spdx.json ${{ github.workspace }}/zipfile/
+          cp ${{ github.workspace }}/build/tmp/deploy/spdx/raspberrypi_armv8/recipes/recipe-aws-iot-greengrass-demo-image.spdx.json ${{ github.workspace }}/zipfile/
       - name: cp image (raspberrypi) to zip dir
         if: startsWith(matrix.device, 'raspberrypi2')
         shell: bash