From e364f71466a55378347b2572de2c6f1c62109cea Mon Sep 17 00:00:00 2001
From: Guilherme Salazar <gsz@acm.org>
Date: Mon, 10 Apr 2023 20:04:13 -0300
Subject: [PATCH] fix: ensure sbom is copied to `output-file`

Before this, the sbom file would only be copied to
`output-file` if `upload-artifact` is true. However,
the file may still be useful if upload is not enabled.
---
 src/github/SyftGithubAction.ts | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/src/github/SyftGithubAction.ts b/src/github/SyftGithubAction.ts
index 0717e127..3cb0fcf4 100644
--- a/src/github/SyftGithubAction.ts
+++ b/src/github/SyftGithubAction.ts
@@ -269,24 +269,14 @@ export function getSha(): string {
 
 /**
  * Uploads a SBOM as a workflow artifact
- * @param contents SBOM file contents
+ * @param filePath path to the SBOM file
  */
-export async function uploadSbomArtifact(contents: string): Promise<void> {
+export async function uploadSbomArtifact(filePath: string): Promise<void> {
   const { repo } = github.context;
   const client = getClient(repo, core.getInput("github-token"));
-
   const fileName = getArtifactName();
-
-  const filePath = `${tempDir}/${fileName}`;
-  fs.writeFileSync(filePath, contents);
-
   const retentionDays = parseInt(core.getInput("upload-artifact-retention"));
 
-  const outputFile = core.getInput("output-file");
-  if (outputFile) {
-    fs.copyFileSync(filePath, outputFile);
-  }
-
   core.info(dashWrap("Uploading workflow artifacts"));
   core.info(filePath);
 
@@ -384,8 +374,13 @@ export async function runSyftAction(): Promise<void> {
       core.debug(`Prior artifact: ${priorArtifact}`);
     }
 
+    const outputFile = core.getInput("output-file");
+    if (outputFile) {
+        fs.writeFileSync(outputFile, contents);
+    }
+
     if (doUpload) {
-      await uploadSbomArtifact(output);
+      await uploadSbomArtifact(outputFile);
 
       core.exportVariable(PRIOR_ARTIFACT_ENV_VAR, getArtifactName());
     }