Add on-demand SBOM generation workflow#191
Open
Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Open
Add on-demand SBOM generation workflow#191Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Conversation
|
The created documentation from the pull request is available at: docu-html |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an on-demand SBOM generation capability to the Bazel-based build, including a root SBOM target and a GitHub Actions workflow to build and publish SBOM artifacts and submit dependency snapshots to GitHub.
Changes:
- Add
score_sbomas a Bzlmod dependency (viagit_override) and enable its metadata extension. - Introduce a root
//:reference_integration_sbomBazel target covering core showcase binaries. - Add a
workflow_dispatch-only GitHub Actions workflow to generate/upload SBOMs and submit a dependency snapshot.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
MODULE.bazel.lock |
Updates the Bzlmod lockfile to include score_sbom and transitive module resolution results. |
MODULE.bazel |
Adds the score_sbom module override and configures the sbom_metadata extension to track this repo’s module. |
BUILD |
Adds a root sbom(...) target reference_integration_sbom for key showcase binaries. |
.github/workflows/generate_sbom.yml |
Adds a manual workflow to build SBOMs, upload them as artifacts, and submit a dependency snapshot to GitHub. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/generate_sbom.yml
Outdated
Comment on lines
+77
to
+79
| # Use the script from the already-fetched @score_sbom external repo | ||
| SBOM_SCRIPTS="$(bazel info output_base)/external/score_sbom+/scripts" | ||
| python3 "${SBOM_SCRIPTS}/spdx_to_github_snapshot.py" \ |
.github/workflows/generate_sbom.yml
Outdated
| sbom: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write # required for GitHub Dependency Submission API |
Comment on lines
+15
to
+20
| # Summary: | ||
| # Generates a Software Bill of Materials (SPDX 2.3 + CycloneDX 1.6) for the | ||
| # core showcase Bazel targets and stores the results as a GitHub Actions | ||
| # artifact. Optionally submits the SPDX snapshot to the GitHub Dependency | ||
| # Submission API to enable Dependabot vulnerability alerts. | ||
| # |
.github/workflows/generate_sbom.yml
Outdated
|
|
||
| - name: Install prerequisites (uv + Java for Rust crate metadata) | ||
| run: | | ||
| curl -LsSf https://astral.sh/uv/install.sh | sh |
.github/workflows/generate_sbom.yml
Outdated
Comment on lines
+58
to
+60
| - name: Install prerequisites (uv + Java for Rust crate metadata) | ||
| run: | | ||
| curl -LsSf https://astral.sh/uv/install.sh | sh |
Lukasz-Juranek
requested review from
AlexanderLanin,
FScholPer,
MaximilianSoerenPollak,
PiotrKorkus,
antonkri,
dcalavrezo-qorix,
lurtz,
nradakovic,
opajonk and
pawelrutkaq
as code owners
Contributor
Author
Response to review findingsAddressed all actionable review comments in commits
CI run on fork confirms full end-to-end success: https://github.com/Lukasz-Juranek/score-reference_integration/actions/runs/23180345273
|
Lukasz-Juranek
force-pushed
the
feat/sbom-generation
branch
from
5b493ac to
5174542
Compare
Contributor
Author
|
@kgraeper thx for looking at this. |
- Adds `score_sbom` as a Bazel module dependency (via `git_override`) - Adds a root `reference_integration_sbom` Bazel target covering the core Rust showcase binaries (`//showcases/cli:cli`, `//showcases/orchestration_persistency:orch_per_example`) - Adds `.github/workflows/generate_sbom.yml` triggered only on `workflow_dispatch` (on-demand) What the workflow does: 1. Builds SPDX 2.3 + CycloneDX 1.6 SBOMs via `bazel build //:reference_integration_sbom` 2. Uploads both files as a GitHub Actions artifact (`sbom-<sha>`, retained 90 days) 3. Converts the SPDX output to GitHub Dependency Submission API format and submits it — enables Dependabot vulnerability alerts on the declared dependencies Workflow improvements over initial draft: - Use `astral-sh/setup-uv@v7.6.0` instead of `curl | sh` for reproducible, supply-chain-safe uv installation - Add `apt-get update` before `apt-get install` to prevent intermittent failures on rotating runner images - Invoke SPDX→snapshot converter via `bazel run @score_sbom//scripts:spdx_to_github_snapshot_bin` instead of reaching into Bazel's internal output_base directory; the required `py_binary` target is added in eclipse-score/sbom-tool#2 - Update header comment to accurately reflect that dependency snapshot submission always runs - Use absolute paths (`$GITHUB_WORKSPACE`) for bazel run invocations
Lukasz-Juranek
force-pushed
the
feat/sbom-generation
branch
from
5174542 to
496e581
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
score_sbomas a Bazel module dependency (viagit_override)reference_integration_sbomBazel target covering the core Rust showcase binaries (//showcases/cli:cli,//showcases/orchestration_persistency:orch_per_example).github/workflows/generate_sbom.ymltriggered only onworkflow_dispatch(on-demand)What the workflow does
bazel build //:reference_integration_sbomsbom-<sha>, retained 90 days)DependsOn: eclipse-score/sbom-tool#2