fix sbom generation inconsistency, take 2

internal/gok/overwrite.go

@@ -70,6 +70,14 @@ func (r *overwriteImplConfig) run(ctx context.Context, args []string, stdout, st
 		return err
 	}
 
+	// GenerateSBOM() must be called before any modifications to cfg.InternalCompatibilityFlags,
+	// as the SBOM should reflect what’s going into gokrazy,
+	// not its internal implementation details.
+	sbom, _, err := packer.GenerateSBOM(cfg)
+	if err != nil {
+		return err
+	}
+
 	if cfg.InternalCompatibilityFlags == nil {
 		cfg.InternalCompatibilityFlags = &config.InternalCompatibilityFlags{}
 	}
@@ -123,6 +131,7 @@ func (r *overwriteImplConfig) run(ctx context.Context, args []string, stdout, st
 	pack := &packer.Pack{
 		Cfg:    cfg,
 		Output: &output,
+		SBOM:   sbom,
 	}
 
 	pack.Main("gokrazy gok")

internal/gok/sbom.go

@@ -58,6 +58,9 @@ func (r *sbomConfig) run(ctx context.Context, args []string, stdout, stderr io.W
 
 	updateflag.SetUpdate("yes")
 
+	// GenerateSBOM() must be called before any modifications to cfg.InternalCompatibilityFlags,
+	// as the SBOM should reflect what’s going into gokrazy,
+	// not its internal implementation details.
 	sbomMarshaled, sbomWithHash, err := packer.GenerateSBOM(cfg)
 	if os.IsNotExist(err) {
 		// Common case, handle with a good error message

internal/gok/update.go

@@ -50,6 +50,14 @@ func (r *updateImplConfig) run(ctx context.Context, args []string, stdout, stder
 		return err
 	}
 
+	// GenerateSBOM() must be called before any modifications to cfg.InternalCompatibilityFlags,
+	// as the SBOM should reflect what’s going into gokrazy,
+	// not its internal implementation details.
+	sbom, _, err := packer.GenerateSBOM(cfg)
+	if err != nil {
+		return err
+	}
+
 	if cfg.InternalCompatibilityFlags == nil {
 		cfg.InternalCompatibilityFlags = &config.InternalCompatibilityFlags{}
 	}
@@ -77,7 +85,8 @@ func (r *updateImplConfig) run(ctx context.Context, args []string, stdout, stder
 	}
 
 	pack := &packer.Pack{
-		Cfg: cfg,
+		Cfg:  cfg,
+		SBOM: sbom,
 	}
 
 	pack.Main("gokrazy gok")

internal/packer/gaf.go

@@ -49,12 +49,7 @@ func (p *Pack) overwriteGaf(root *FileInfo) error {
 		return err
 	}
 
-	sbomMarshaled, _, err := GenerateSBOM(p.Cfg)
-	if err != nil {
-		return err
-	}
-
-	if _, err := tmpSBOM.Write(sbomMarshaled); err != nil {
+	if _, err := tmpSBOM.Write(p.SBOM); err != nil {
 		return err
 	}
 

internal/packer/packer.go

@@ -980,6 +980,7 @@ type Pack struct {
 
 	Cfg    *config.Struct
 	Output *OutputStruct
+	SBOM   []byte
 }
 
 func filterGoEnv(env []string) []string {
@@ -1366,14 +1367,10 @@ func (pack *Pack) logic(programName string) error {
 		FromLiteral: update.HTTPSPort,
 	})
 
-	sbom, _, err := GenerateSBOM(cfg)
-	if err != nil {
-		return err
-	}
 	etcGokrazy := &FileInfo{Filename: "gokrazy"}
 	etcGokrazy.Dirents = append(etcGokrazy.Dirents, &FileInfo{
 		Filename:    "sbom.json",
-		FromLiteral: string(sbom),
+		FromLiteral: string(pack.SBOM),
 	})
 	etc.Dirents = append(etc.Dirents, etcGokrazy)
 

internal/packer/sbom.go

@@ -48,6 +48,9 @@ type SBOMWithHash struct {
 
 // GenerateSBOM generates a Software Bills Of Material (SBOM) for the
 // local gokrazy instance.
+// It must be called before any modifications to cfg.InternalCompatibilityFlags,
+// as the SBOM should reflect what’s going into gokrazy,
+// not its internal implementation details.
 func GenerateSBOM(cfg *config.Struct) ([]byte, SBOMWithHash, error) {
 	wd, err := os.Getwd()
 	if err != nil {