Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update legacy-release_sbom-generator.yaml #29584

Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Update legacy-release_sbom-generator.yaml #29584

wants to merge 22 commits into from
+44 −19

Conversation

rsh1k
Copy link
Contributor

@rsh1k rsh1k commented Aug 14, 2024
edited
Loading

The workflow will generate the SBOM for each release in the release branch instead of core-test-results.

@rsh1k
Update legacy-release_sbom-generator.yaml
b995b02 
Changed core-test-repo to core repo.
@rsh1k rsh1k requested a review from a team as a code owner August 14, 2024 05:01
@dotcms-sonarqube dotCMS-sonarqube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@mbiuki mbiuki added OKR : Security & Privacy Owned by Mehdi dotCMS : Security Team: Security Issues related to security and privacy labels Aug 14, 2024
@rsh1k rsh1k mentioned this pull request Aug 15, 2024
Closed
@rsh1k rsh1k linked an issue Aug 15, 2024 that may be closed by this pull request
SBOM generation to go along w/ every release #29443
Open
@rsh1k rsh1k enabled auto-merge August 15, 2024 05:24
@mbiuki mbiuki mentioned this pull request Aug 15, 2024
Closed
3 tasks
@spbolton
Copy link
Contributor

My only concern is that we are adding the commit After the commit we fix the release version and publish to github, therefore anyone actually looking at the files in the release commit will not see the sbom. Of course there is a chicken-egg problem here as the workflow is triggered off the release generation so the only way I see of fixing this would be to modify the main release workflow to add the steps before the release commit is created. It probably would be better to have the sbom combined with the single release commit, but a commit before would also be fine.
If
@bryanboza
is ok with this extra post release commit just to get the sbom in there in the short term, then I am ok with that. Otherwise to handle this before our release workflow refactor would be to modify the current release workflow to include the required steps rather than its own workflow as we currently have.

sfreudenthaler
sfreudenthaler approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@sfreudenthaler sfreudenthaler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spbolton left a valid comment. I'm ok either way we go.

I do like that we're storing as a file in the root of the repo. Seems like a good pattern to have it by other repo metadata stuff like the readme. Appreciate that we're not creating the sbom file with the version in the filename and leveraging github versioning as well. It'll make future usage/programmatic consumption of the sbom much nicer to work with.

.github/workflows/legacy-release_sbom-generator.yaml Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

@github-actions github-actions bot added the stale label Sep 23, 2024
@nollymar nollymar changed the base branch from master to main September 30, 2024 20:36
@github-actions github-actions bot removed the stale label Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbiuki mbiuki mbiuki approved these changes

@sfreudenthaler sfreudenthaler sfreudenthaler approved these changes

@spbolton spbolton Awaiting requested review from spbolton

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
dotCMS : Security OKR : Security & Privacy Owned by Mehdi Team: Security Issues related to security and privacy
Projects
dotCMS - Product Planning
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SBOM generation to go along w/ every release
4 participants
@rsh1k @spbolton @mbiuki @sfreudenthaler