Skip to content

Fix dedup for docker/chainguard SBOM uploads#14

Merged
vpetersson merged 1 commit into
masterfrom
fix/dedup-logic
Mar 7, 2026
Merged

Fix dedup for docker/chainguard SBOM uploads#14
vpetersson merged 1 commit into
masterfrom
fix/dedup-logic

Conversation

@vpetersson
Copy link
Copy Markdown
Contributor

@vpetersson vpetersson commented Mar 7, 2026

Summary

  • Dedup check was searching release artifacts for the image digest, but artifacts end up in the "latest" release rather than the versioned release — so the check always said "new digest, will upload", causing every hourly sync to fail with HTTP 409 "SBOM already exists"
  • Fixed to check the component's SBOMs directly via /components/{id}/sboms for an existing SBOM with the digest as version
  • Simplified cleanup to delete old SBOMs from the component rather than searching release artifacts

Test plan

  • Merge and wait for next TEA Sync run
  • Verify docker/chainguard jobs that already have SBOMs skip upload (dedup works)
  • Verify new digests still trigger upload
  • Verify old SBOMs are cleaned up after successful upload

🤖 Generated with Claude Code

@vpetersson @claude
Fix docker/chainguard dedup by checking component SBOMs instead of re…
492d06f 
…lease artifacts

The previous dedup logic searched for the image digest in release artifacts,
but artifacts may live in the "latest" release rather than the versioned one.
Now checks directly if the component already has an SBOM with the digest as
version. Also simplifies cleanup to delete old SBOMs from the component.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vpetersson vpetersson merged commit e598ae2 into master Mar 7, 2026
61 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vpetersson