From 4d629a381f510937b7fc4b4eb1da44bcc28ac236 Mon Sep 17 00:00:00 2001 From: Paul Macdonnell Date: Sun, 14 Jun 2026 19:19:38 +1000 Subject: [PATCH] fix(sbom): avoid ARG_MAX limit when uploading large SBoMs to DTrack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing the base64-encoded SBoM as a shell --arg to jq fails with "Argument list too long" for large projects (metasearch hit this). Fixes by using jq --rawfile to read sbom.json directly, encoding with jq's @base64 filter, and piping the payload to curl via -d @- instead of a shell variable. Also strips UTF-8 BOM via ltrimstr(""). Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/sbom.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 6cea35e..2b84f4b 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -90,20 +90,18 @@ jobs: PROJECT_VERSION: ${{ github.sha }} PROJECT_TAGS: "${{ github.repository }}, ${{ github.ref_type }}, ${{ github.ref }}" run: | - BOM_B64=$(base64 -w 0 sbom.json) - [[ "${BOM_B64}" == 77u/* ]] && BOM_B64="${BOM_B64:4}" TAGS=$(printf '%s' "${PROJECT_TAGS}" | jq -Rc 'split(",") | map(gsub("^ +| +$"; "") | {name: .})') - PAYLOAD=$(jq -n \ + jq -n \ --arg name "${PROJECT_NAME}" \ --arg version "${PROJECT_VERSION}" \ --argjson tags "${TAGS}" \ - --arg bom "${BOM_B64}" \ - '{projectName: $name, projectVersion: $version, autoCreate: true, bom: $bom, projectTags: $tags}') - curl -sf -X PUT \ - -H "X-Api-Key: ${DT_APIKEY}" \ - -H "Content-Type: application/json" \ - -d "${PAYLOAD}" \ - "https://${DT_HOST}/api/v1/bom" + --rawfile bom sbom.json \ + '{projectName: $name, projectVersion: $version, autoCreate: true, bom: ($bom | ltrimstr("\ufeff") | @base64), projectTags: $tags}' \ + | curl -sf -X PUT \ + -H "X-Api-Key: ${DT_APIKEY}" \ + -H "Content-Type: application/json" \ + -d @- \ + "https://${DT_HOST}/api/v1/bom" - name: Get DTrack project URL id: dtrack-url