output to tmpdir

Signed-off-by: Keith Zantow <kzantow@gmail.com>
anchore · Feb 17, 2022 · d9653aa · d9653aa
1 parent 304ad09
commit d9653aa
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 28 deletions.
diff --git a/dist/attachReleaseAssets/index.js b/dist/attachReleaseAssets/index.js
diff --git a/dist/downloadSyft/index.js b/dist/downloadSyft/index.js
diff --git a/dist/runSyftAction/index.js b/dist/runSyftAction/index.js
diff --git a/src/github/SyftGithubAction.ts b/src/github/SyftGithubAction.ts
@@ -8,7 +8,6 @@ import {
   ReleaseEvent,
 } from "@octokit/webhooks-types";
 import * as fs from "fs";
-import * as os from "os";
 import path from "path";
 import stream from "stream";
 import { SyftOptions } from "../Syft";
@@ -20,6 +19,8 @@ export const SYFT_VERSION = core.getInput("syft-version") || "v0.33.0";
 
 const PRIOR_ARTIFACT_ENV_VAR = "ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT";
 
+const tempDir = fs.mkdtempSync("sbom-action-");
+
 /**
  * Tries to get a unique artifact name or otherwise as appropriate as possible
  */
@@ -149,7 +150,7 @@ async function executeSyft({ input, format }: SyftOptions): Promise<string> {
   args = [...args, "-o", format];
 
   // always generate github dependency format
-  args = [...args, "-o", "github=github.sbom.json"];
+  args = [...args, "-o", `github=${tempDir}/github.sbom.json`];
 
   // Execute in a group so the syft output is collapsed in the GitHub log
   core.info(`[command]${cmd} ${args.join(" ")}`);
@@ -256,8 +257,7 @@ export async function uploadSbomArtifact(contents: string): Promise<void> {
 
   const fileName = getArtifactName();
 
-  const tempPath = fs.mkdtempSync(path.join(os.tmpdir(), "sbom-action-"));
-  const filePath = `${tempPath}/${fileName}`;
+  const filePath = `${tempDir}/${fileName}`;
   fs.writeFileSync(filePath, contents);
 
   const outputFile = core.getInput("output-file");
@@ -383,7 +383,7 @@ export async function runSyftAction(): Promise<void> {
 
     if (doUpload) {
       const snapshot = JSON.parse(
-        fs.readFileSync("github.sbom.json").toString("utf8")
+        fs.readFileSync(`${tempDir}/github.sbom.json`).toString("utf8")
       ) as DependencySnapshot;
 
       snapshot.job = {
@@ -398,9 +398,7 @@ export async function runSyftAction(): Promise<void> {
 
       const response = await postDependencySnapshot(snapshot);
       core.info(`DS Response: ${JSON.stringify(response)}`);
-    }
 
-    if (doUpload) {
       await uploadSbomArtifact(output);
 
       core.exportVariable(PRIOR_ARTIFACT_ENV_VAR, getArtifactName());