Fix build SBOM: scan source tree instead of full OS image

SecAI-Hub · claude · SecAI-Hub · commit c5805084c0e5 · 2026-03-14T14:17:47.000-07:00
The SBOM generation step was trying to pull and scan the entire Fedora
Silverblue OS image (multi-GB, thousands of system packages) via
`syft scan ghcr.io/secai-hub/secai_os`. This exceeded the GitHub Actions
runner memory/time limits, causing the step to hang indefinitely.

Switch to scanning the source tree (`path: .`) which covers our custom
services and configuration. Fedora provides its own SBOMs for the base
OS packages.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -41,11 +41,16 @@ jobs:
         if: github.event_name != 'pull_request'
         run: echo "IMAGE_REF=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_ENV"
 
+      # Scan the source tree rather than the full OS image.
+      # The OS image is a multi-GB Fedora Silverblue base with thousands of
+      # system packages — scanning it via `syft scan <image>` exceeds the
+      # runner's memory/time limits. Fedora provides its own SBOMs for base
+      # packages. This SBOM covers our custom services and configuration.
       - name: Generate SBOM
         if: github.event_name != 'pull_request'
         uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
         with:
-          image: ${{ env.IMAGE_REF }}
+          path: .
           format: cyclonedx-json
           output-file: sbom.cdx.json
 
