Merge branch 'main' into ecosystem-bundle-validation

.github/workflows/go-ci.yaml

@@ -18,7 +18,7 @@ jobs:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@82fb3f49c21caa9527bf0335d412acbf02388f95
+        uses: golangci/golangci-lint-action@ea0c88120e8fe1b09b2134dc97e879870b61b7ce
         with:
           working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -84,7 +84,7 @@ jobs:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@9f93f47966f6365f7dd2b0eb0b06e74e4e64afaf
+        uses: github/codeql-action/upload-sarif@5ac2ddd6fc78e6c0d2af5b110b19381f38bd84df
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif

.tekton/tasks/ec-checks.yaml

@@ -23,7 +23,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:2784e6899ce02e8a5a46a8a74846f8ab33a4a816a1c6c712c6c18f05998ccabc
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:a372807cc4cfb8bebf41b8ae3a79b53c3ae94a07e3659517f92ea9e10e760d5b
     script: |
       set -euo pipefail
 
@@ -37,7 +37,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:2784e6899ce02e8a5a46a8a74846f8ab33a4a816a1c6c712c6c18f05998ccabc
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:a372807cc4cfb8bebf41b8ae3a79b53c3ae94a07e3659517f92ea9e10e760d5b
     script: |
       set -euo pipefail
 

pipelines/enterprise-contract.yaml

@@ -109,7 +109,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:83c6e36dab62519a7de6dd54f1dfc46b45adb1a4bd656c5a89354b84bdcc0b3e
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:978d48e842a3d7060035f8006b43f3aec84eb87deac3ada47a32b19d96417cbc
           - name: name
             value: verify-enterprise-contract
           - name: kind

task-generator/trusted-artifacts/go.mod

@@ -1,6 +1,6 @@
 module github.com/konflux-ci/build-definitions/task-generator/trusted-artifacts
 
-go 1.22.5
+go 1.22.7
 
 require (
 	github.com/google/go-cmp v0.6.0
@@ -9,8 +9,8 @@ require (
 	github.com/zregvart/tkn-fmt v0.0.0-20240614122620-a2995427266c
 	k8s.io/api v0.30.1
 	mvdan.cc/sh/v3 v3.10.0
-	sigs.k8s.io/kustomize/api v0.17.3
-	sigs.k8s.io/kustomize/kyaml v0.17.2
+	sigs.k8s.io/kustomize/api v0.18.0
+	sigs.k8s.io/kustomize/kyaml v0.18.1
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -67,7 +67,6 @@ require (
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect

task-generator/trusted-artifacts/go.sum

@@ -333,8 +333,9 @@ github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8w
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -367,8 +368,6 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
-go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
@@ -489,7 +488,6 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -734,10 +732,10 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/kustomize/api v0.17.3 h1:6GCuHSsxq7fN5yhF2XrC+AAr8gxQwhexgHflOAD/JJU=
-sigs.k8s.io/kustomize/api v0.17.3/go.mod h1:TuDH4mdx7jTfK61SQ/j1QZM/QWR+5rmEiNjvYlhzFhc=
-sigs.k8s.io/kustomize/kyaml v0.17.2 h1:+AzvoJUY0kq4QAhH/ydPHHMRLijtUKiyVyh7fOSshr0=
-sigs.k8s.io/kustomize/kyaml v0.17.2/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U=
+sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo=
+sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U=
+sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E=
+sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=

task/acs-deploy-check/0.1/acs-deploy-check.yaml

@@ -154,7 +154,7 @@ spec:
         fi
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:a47c89f02b39a98290f88204ed3d162845db0a0c464b319c2596cfd1e94b444e
+      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
       volumeMounts:
         - name: repository
           mountPath: /workspace/repository

task/acs-image-check/0.1/acs-image-check.yaml

@@ -53,7 +53,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-check
-      image: registry.access.redhat.com/ubi8-minimal@sha256:a47c89f02b39a98290f88204ed3d162845db0a0c464b319c2596cfd1e94b444e
+      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -121,7 +121,7 @@ spec:
         cp roxctl_image_check_output.json /steps-shared-folder/acs-image-check.json
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:a47c89f02b39a98290f88204ed3d162845db0a0c464b319c2596cfd1e94b444e
+      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

task/acs-image-scan/0.1/acs-image-scan.yaml

@@ -60,7 +60,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-scan
-      image: registry.access.redhat.com/ubi8-minimal@sha256:a47c89f02b39a98290f88204ed3d162845db0a0c464b319c2596cfd1e94b444e
+      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -160,7 +160,7 @@ spec:
         set_test_output_result SUCCESS "$note"
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:a47c89f02b39a98290f88204ed3d162845db0a0c464b319c2596cfd1e94b444e
+      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

task/apply-tags/0.1/apply-tags.yaml

@@ -34,7 +34,7 @@ spec:
         readOnly: true
   steps:
     - name: apply-additional-tags-from-parameter
-      image: registry.access.redhat.com/ubi9/skopeo:9.4-12@sha256:61871ab37e9b1291e3547f36ba692a4dc59c22e9e045a5b4d5bf9a55155ab779
+      image: registry.access.redhat.com/ubi9/skopeo:9.4-14.1728984400@sha256:891ee232a9319ed0f675c318f9605422bde7436328e7faec7dc896a206a78e54
       args:
         - $(params.ADDITIONAL_TAGS[*])
       env:
@@ -54,7 +54,7 @@ spec:
         fi
 
     - name: apply-additional-tags-from-image-label
-      image: registry.access.redhat.com/ubi9/skopeo:9.4-12@sha256:61871ab37e9b1291e3547f36ba692a4dc59c22e9e045a5b4d5bf9a55155ab779
+      image: registry.access.redhat.com/ubi9/skopeo:9.4-14.1728984400@sha256:891ee232a9319ed0f675c318f9605422bde7436328e7faec7dc896a206a78e54
       env:
       - name: IMAGE
         value: $(params.IMAGE)

task/build-image-index/0.1/build-image-index.yaml

@@ -163,7 +163,7 @@ spec:
         add:
           - SETFCAP
 
-  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:53a3041dff341b7fd1765b9cc2c324625d19e804b2eaff10a6e6d9dcdbde3a91
+  - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:1a7db0fe9fd10addcd77d9fda9a490bd8a686e1f8fe92ca124b9891121edb9d6
     name: create-sbom
     computeResources:
       limits:

task/buildah-oci-ta/0.1/buildah-oci-ta.yaml

@@ -456,7 +456,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: merge-syft-sboms
-      image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d
+      image: registry.access.redhat.com/ubi9/python-39:1-197.1729767844@sha256:e7f5b60728d8e71588272e28b88c2e8fe9e63609347fb379b8c1625df886e189
       workingDir: /var/workdir
       script: |
         #!/bin/python3
@@ -503,7 +503,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: create-purl-sbom
-      image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d
+      image: registry.access.redhat.com/ubi9/python-39:1-197.1729767844@sha256:e7f5b60728d8e71588272e28b88c2e8fe9e63609347fb379b8c1625df886e189
       workingDir: /var/workdir
       script: |
         #!/bin/python3

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -441,20 +441,25 @@ spec:
         #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
         #    container.
 
-        REGISTERED="false"
         if [ -e /activation-key/org ]; then
           cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
-          mkdir /shared/rhsm-tmp
-          VOLUME_MOUNTS+=(--volume /tmp/activation-key:/activation-key -v /shared/rhsm-tmp:/etc/pki/entitlement:Z)
+          mkdir -p /shared/rhsm/etc/pki/entitlement
+          mkdir -p /shared/rhsm/etc/pki/consumer
+
+          VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key
+            -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z
+            -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
           echo "Adding activation key to the build"
 
           if ! grep subscription-manager "$dockerfile_path" | grep -q register; then
             # user is not running registration in the Containerfile: pre-register.
             echo "Pre-registering with subscription manager."
             subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"
-            REGISTERED=$?
-            # copy generated certificates to /shared/rhsm-tmp
-            cp /etc/pki/entitlement/*.pem /shared/rhsm-tmp
+            trap 'subscription-manager unregister || true' EXIT
+
+            # copy generated certificates to /shared volume
+            cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement
+            cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer
 
             # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca
             VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/run/secrets/rhsm/ca/redhat-uep.pem)
@@ -507,6 +512,9 @@ spec:
           command="$buildah_cmd"
         fi
 
+        # disable host subcription manager integration
+        find /usr/share/rhel/secrets -type l -exec unlink {} \;
+
         unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
         container=$(buildah from --pull-never "$IMAGE")
@@ -527,11 +535,6 @@ spec:
 
         # Needed to generate base images SBOM
         echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile
-
-        # unregister pod from subscription manager
-        if [ "$REGISTERED" == "0" ]; then
-          subscription-manager unregister
-        fi
       computeResources:
         limits:
           cpu: "4"
@@ -587,7 +590,7 @@ spec:
       securityContext:
         runAsUser: 0
     - name: prepare-sboms
-      image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:53a3041dff341b7fd1765b9cc2c324625d19e804b2eaff10a6e6d9dcdbde3a91
+      image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:1a7db0fe9fd10addcd77d9fda9a490bd8a686e1f8fe92ca124b9891121edb9d6
       workingDir: /var/workdir
       script: |
         echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json"
@@ -629,6 +632,19 @@ spec:
         #!/bin/bash
         set -e
 
+        retry() {
+          status=-1
+          max_run=5
+          sleep_sec=10
+
+          for run in $(seq 1 $max_run); do
+            status=0
+            [ "$run" -gt 1 ] && sleep $sleep_sec
+            "$@" && break || status=$?
+          done
+          return $status
+        }
+
         ca_bundle=/mnt/trusted-ca/ca-bundle.crt
         if [ -f "$ca_bundle" ]; then
           echo "INFO: Using mounted CA bundle: $ca_bundle"
@@ -649,20 +665,21 @@ spec:
 
         buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE
 
-        status=-1
-        max_run=5
-        sleep_sec=10
-        for run in $(seq 1 $max_run); do
-          status=0
-          [ "$run" -gt 1 ] && sleep $sleep_sec
-          echo "Pushing sbom image to registry"
-          buildah push \
-            --tls-verify=$TLSVERIFY \
-            --digestfile /var/workdir/image-digest $IMAGE \
-            docker://$IMAGE && break || status=$?
-        done
-        if [ "$status" -ne 0 ]; then
-          echo "Failed to push sbom image to registry after ${max_run} tries"
+        echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}"
+        if ! retry buildah push \
+          --tls-verify="$TLSVERIFY" \
+          "$IMAGE" \
+          "docker://${IMAGE%:*}:$(context.taskRun.name)"; then
+          echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries"
+          exit 1
+        fi
+
+        echo "Pushing to ${IMAGE}"
+        if ! retry buildah push \
+          --tls-verify="$TLSVERIFY" \
+          --digestfile "/var/workdir/image-digest" "$IMAGE" \
+          "docker://$IMAGE"; then
+          echo "Failed to push sbom image to $IMAGE after ${max_run} tries"
           exit 1
         fi
 

task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml

@@ -543,7 +543,7 @@ spec:
     - mountPath: /shared
       name: shared
   - computeResources: {}
-    image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d
+    image: registry.access.redhat.com/ubi9/python-39:1-197.1729767844@sha256:e7f5b60728d8e71588272e28b88c2e8fe9e63609347fb379b8c1625df886e189
     name: merge-syft-sboms
     script: |
       #!/bin/python3
@@ -592,7 +592,7 @@ spec:
       runAsUser: 0
     workingDir: /var/workdir
   - computeResources: {}
-    image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d
+    image: registry.access.redhat.com/ubi9/python-39:1-197.1729767844@sha256:e7f5b60728d8e71588272e28b88c2e8fe9e63609347fb379b8c1625df886e189
     name: create-purl-sbom
     script: |
       #!/bin/python3