-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update legacy-release_sbom-generator.yaml #29584
base: main
Are you sure you want to change the base?
Conversation
Changed core-test-repo to core repo.
Quality Gate passedIssues Measures |
My only concern is that we are adding the commit After the commit we fix the release version and publish to github, therefore anyone actually looking at the files in the release commit will not see the sbom. Of course there is a chicken-egg problem here as the workflow is triggered off the release generation so the only way I see of fixing this would be to modify the main release workflow to add the steps before the release commit is created. It probably would be better to have the sbom combined with the single release commit, but a commit before would also be fine. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spbolton left a valid comment. I'm ok either way we go.
I do like that we're storing as a file in the root of the repo. Seems like a good pattern to have it by other repo metadata stuff like the readme. Appreciate that we're not creating the sbom file with the version in the filename and leveraging github versioning as well. It'll make future usage/programmatic consumption of the sbom much nicer to work with.
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
The workflow will generate the SBOM for each release in the release branch instead of core-test-results.