feat: we can pull paths from manifest for installed packages

samrose · samrose · commit 8516c7b7e401 · 2026-02-24T17:11:08.000-05:00
diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml
@@ -242,14 +242,14 @@ jobs:
         run: |
           VERSION="${{ steps.process_release_version.outputs.version }}"
 
-          # Check if comprehensive SBOM exists (generated during AMI build)
           if [ -f "nix-sbom.spdx.json" ]; then
             aws s3 cp nix-sbom.spdx.json \
               "s3://${{ secrets.SHARED_AWS_ARTIFACTS_BUCKET }}/sbom/${VERSION}/sbom.spdx.json" \
               --content-type "application/json"
             echo "::notice title=SBOM Uploaded::Comprehensive SBOM for ${VERSION} uploaded to shared artifacts"
           else
-            echo "::warning title=SBOM Missing::Comprehensive SBOM file not found, skipping upload"
+            echo "::error title=SBOM Missing::SBOM file not found - build cannot proceed without SBOM"
+            exit 1
           fi
 
       - name: Create release
diff --git a/nix/packages/sbom/default.nix b/nix/packages/sbom/default.nix
@@ -43,13 +43,32 @@ let
       fi
     done | sort -u | grep -v '^$'
   '';
+
+  # Combined wrapper that collects paths from profiles and generates SBOM
+  sbom-from-profiles = pkgs.writeShellScriptBin "sbom-from-profiles" ''
+    set -euo pipefail
+    OUTPUT="''${1:-/tmp/nix-sbom.spdx.json}"
+
+    # Collect store paths from user profiles
+    PATHS=$(${collect-nix-paths}/bin/collect-nix-paths)
+
+    # Build --nix-target arguments
+    ARGS=""
+    while IFS= read -r path; do
+      [ -n "$path" ] && ARGS="$ARGS --nix-target $path"
+    done <<< "$PATHS"
+
+    # Generate combined SBOM
+    ${sbom-generator}/bin/sbom-generator $ARGS --output "$OUTPUT"
+  '';
 in
 {
   inherit
     sbom
     sbom-ubuntu
     sbom-nix
     sbom-generator
+    sbom-from-profiles
     collect-nix-paths
     sbomnix
     ;
diff --git a/scripts/nix-provision.sh b/scripts/nix-provision.sh
@@ -64,7 +64,22 @@ function cleanup_packages {
     sudo add-apt-repository --yes --remove ppa:ansible/ansible
 }
 
+function generate_sbom {
+    echo "Generating combined SBOM from installed profiles..."
+
+    # Generate SBOM using the flake from GitHub at this exact commit
+    nix run "github:supabase/postgres/${GIT_SHA}#sbom-from-profiles" -- /tmp/nix-sbom.spdx.json
+
+    echo "SBOM generated at /tmp/nix-sbom.spdx.json"
+
+    # Clean up SBOM tooling and old generations from nix store
+    nix-collect-garbage -d
+
+    echo "Nix garbage collection complete"
+}
+
 install_packages
 install_nix
 execute_stage2_playbook
+generate_sbom
 cleanup_packages
diff --git a/stage2-nix-psql.pkr.hcl b/stage2-nix-psql.pkr.hcl
@@ -128,4 +128,11 @@ build {
      script = "scripts/nix-provision.sh"
   }
 
+  # Download SBOM from AMI to runner
+  provisioner "file" {
+    source      = "/tmp/nix-sbom.spdx.json"
+    destination = "nix-sbom.spdx.json"
+    direction   = "download"
+  }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -128,4 +128,11 @@ build {`
`128`	`128`	`script = "scripts/nix-provision.sh"`
`129`	`129`	`}`
`130`	`130`
	`131`	`+ # Download SBOM from AMI to runner`
	`132`	`+ provisioner "file" {`
	`133`	`+ source = "/tmp/nix-sbom.spdx.json"`
	`134`	`+ destination = "nix-sbom.spdx.json"`
	`135`	`+ direction = "download"`
	`136`	`+ }`
	`137`	`+`
`131`	`138`	`}`