Twaks workflow

.github/workflows/phase_1_python.yml

@@ -102,6 +102,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [Container, Application]
     steps:
+
+      # To marge both a container and application SBOM, we
+      # need to use hierarchy structure. The tooling isn't there yet.
+      # We are exploring `sbomasm` and `bomctl` for this step.
+
       - uses: actions/checkout@v4
 
       - name: Install sbomasm
@@ -110,24 +115,12 @@ jobs:
             "https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64"
           chmod +x /tmp/sbomasm
 
-      # Should probably pin this dependency
-      - name: "Install sbommerge"
+      - name: "Merge Debugging"
         run: |
-          python -m pip install sbommerge
+          echo "Output file: /tmp/flattened-cyclonedx.json
+          echo "Input files: container-sbom-cyclonedx/container-sbom_cyclonedx.json application-sbom-cyclonedx/application-sbom_cyclonedx.json"
 
-      - name: Download all workflow run artifacts
-        uses: actions/download-artifact@v4
-
-      # We need `continue-on-error: true` here as we sometimes get a non-exit 0
-      - name: "CycloneDX: Generate Merged SBOM"
-        continue-on-error: true
-        run: |
-          sbommerge \
-            --format json \
-            --sbom cyclonedx \
-            --output-file /tmp/flattened-cyclonedx.json \
-            container-sbom-cyclonedx/container-sbom_cyclonedx.json \
-            application-sbom-cyclonedx/application-sbom_cyclonedx.json
+          touch /tmp/flattened-cyclonedx.json
 
       - name: Upload Combined CycloneDX SBOM
         uses: actions/upload-artifact@v4