From ef94a0b431771841f9c7b8abbb5df884ab744639 Mon Sep 17 00:00:00 2001
From: "Adolfo Garcia Veytia (puerco)" <puerco@chainguard.dev>
Date: Fri, 26 Aug 2022 11:52:12 -0400
Subject: [PATCH] Bump SPDX tools to 1.1.0

This commit bumps SPDX tools to 1.1.0 preparing the CI to
validate SPDX 2.3 documents.

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
---
 .github/workflows/sbom.yaml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml
index 4963f20a95..a77d4c9db4 100644
--- a/.github/workflows/sbom.yaml
+++ b/.github/workflows/sbom.yaml
@@ -4,6 +4,9 @@ on:
   pull_request:
     branches: ['main']
 
+env:
+  SPDX_TOOLS_VERSION: 1.1.0
+
 jobs:
   go-version-m:
     name: Generate go version -m
@@ -75,15 +78,15 @@ jobs:
 
       - name: Install SPDX Tools
         run: |
-          wget https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
-          unzip tools-java-1.0.4.zip
+          wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
+          unzip tools-java-${SPDX_TOOLS_VERSION}.zip
 
       - name: Generate and Validate
         run: |
           img=$(go run ./ build ./)
           go run ./ deps $img --sbom=spdx | tee spdx.json
 
-          java -jar ./tools-java-1.0.4-jar-with-dependencies.jar Verify spdx.json
+          java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar Verify spdx.json
 
       - uses: actions/upload-artifact@v3
         if: ${{ always() }}
@@ -108,8 +111,8 @@ jobs:
 
       - name: Install SPDX Tools
         run: |
-          wget https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
-          unzip tools-java-1.0.4.zip
+          wget https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip
+          unzip tools-java-${SPDX_TOOLS_VERSION}.zip
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@v2.5.1
@@ -121,7 +124,7 @@ jobs:
           img=$(go run ./ build --platform=linux/amd64,linux/arm64 ./)
           cosign download sbom $img | tee spdx-multi-arch.json
 
-          java -jar ./tools-java-1.0.4-jar-with-dependencies.jar Verify spdx-multi-arch.json
+          java -jar ./tools-java-${SPDX_TOOLS_VERSION}-jar-with -dependencies.jar Verify spdx-multi-arch.json
 
       - uses: actions/upload-artifact@v3
         if: ${{ always() }}