-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SBOM Test to GitHub Workflow #29467
Conversation
Resolves #29443 |
@jdcmsd - this is the PR for sbom ticket that we discussed yesterday. Please review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments that hopefully advance this a bit. I'd like to get 👀 and approval from one of our folks more active in the github actions and pipelines codebase.
I also notice that for this PR, it doesn't have any changes in existing workflows to have it generated. So to generate an SBOM, someone would have to go invoke the workflow manually. I think it'd be better to have this get invoked on every release automatically.
@sfreudenthaler @mbiuki This step will execute the code automatically whenever there is a new version published in the github. You don't need to run the code manually. The default version in the code is just to test if the workflow works as expected. |
Oh shoot. Missed the trigger good point. I still don't like the default and possible unintended behaviour. I'd like to see us find a different way to test. Maybe folks have some other ideas? If not, we're releasing 2 times a week in average. So you shouldn't have to wait long to get feedback. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see us get some sort of breadcrumb to troubleshoot with if the input.dotcms_version
isn't provided or able to be retrieved.
Left a comment in the discussion already but maybe changing the default value to something like no value provided for dotcms_version
would do the trick.
I like it! Thanks for your patience with me on this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Let's get this in here and give it a go. Probably some tweaking needed after we start using it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you could just change the workflow name so it fits with the new naming structure I have In my PR. This would be legacy-release_sbom-generator.yaml
The underscore acts like a path separator and this groups it with the existing release workflows we have not yet moved to the new modular structure.
I am fine this going in so we can see how it works otherwise.
To prevent this from being merged I will push this in then modify the filename In my PR as mine still has to wait for approvals anyway. #29506
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update the filename within this PR #29506
This pull request introduces a Software Bill of Materials (SBOM) test into our GitHub Actions workflow.
Summary of Changes:
Details:
Benefits: