Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: generate sboms for provided packeges in a release #247

Merged
merged 9 commits into from
Jan 21, 2025
Merged

ci: generate sboms for provided packeges in a release #247

merged 9 commits into from
Jan 21, 2025

Conversation

y-eight
Copy link
Member

@y-eight y-eight commented Jan 3, 2025
edited
Loading

Motivation

Goreleaser provides the functionality to generate the sbom when creating a GitHub release with its artifacts.

Changes

This MR will add sboms for all provided artifacts when a new release is created. This is needed to prepare the migration of the repo.

Edit: Additionally I have added a description how to use Syft manually in our context.

For additional information look at the commits.

Tests done

  • Unit tests succeeded
  • E2E tests succeeded

@y-eight y-eight added the area/ci Issues/PRs related to github actions label Jan 3, 2025
@y-eight y-eight self-assigned this Jan 3, 2025
@puffitos
Copy link
Collaborator

puffitos commented Jan 3, 2025
edited
Loading

LGTM but why is the syft installation needed in the e2e testing workflow?

EDIT: I guess it's based on when we use the gorelease action, right?

puffitos
puffitos requested changes Jan 3, 2025
View reviewed changes
scripts/sbom/README.md Outdated Show resolved Hide resolved
scripts/sbom/example.sbom.tmpl Outdated Show resolved Hide resolved
puffitos
puffitos reviewed Jan 3, 2025
View reviewed changes
scripts/sbom/README.md Outdated Show resolved Hide resolved
@y-eight
Copy link
Member Author

y-eight commented Jan 14, 2025

LGTM but why is the syft installation needed in the e2e testing workflow?

EDIT: I guess it's based on when we use the gorelease action, right?

Correct! Syft is needed see this previous failing ci job: https://github.com/telekom/sparrow/actions/runs/12596763639/job/35108497305#step:4:1

@y-eight y-eight requested a review from puffitos January 20, 2025 09:02
puffitos
puffitos requested changes Jan 20, 2025
View reviewed changes
scripts/sbom/README.md Outdated Show resolved Hide resolved
@y-eight y-eight requested a review from puffitos January 20, 2025 09:19
lvlcn-t
lvlcn-t approved these changes Jan 20, 2025
View reviewed changes
Copy link
Collaborator

@lvlcn-t lvlcn-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM AFAICT

@y-eight y-eight merged commit 7b8f036 into main Jan 21, 2025
8 checks passed
@y-eight y-eight deleted the ci/generate-sboms branch January 21, 2025 08:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puffitos puffitos puffitos approved these changes

@lvlcn-t lvlcn-t lvlcn-t approved these changes

@niklastreml niklastreml Awaiting requested review from niklastreml niklastreml is a code owner

Assignees

@y-eight y-eight

Labels
area/ci Issues/PRs related to github actions
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@y-eight @puffitos @lvlcn-t