Release #768
Release #768
Conversation
Co-authored-by: Alexandre Bouthinon <bouthinon.alexandre@gmail.com>
Co-authored-by: Alexandre Bouthinon <bouthinon.alexandre@gmail.com>
feat: publish sbom to dtrack
## [7.17.0-beta.1](v7.16.0...v7.17.0-beta.1) (2025-12-16) ### Features * publish sbom to dtrack ([09d874a](09d874a))
## [7.17.0-beta.2](v7.17.0-beta.1...v7.17.0-beta.2) (2025-12-16) ### Bug Fixes * use custom github token to allow sequantial workflow creation ([b3109fe](b3109fe))
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Publish SBOM to Dependency-Track | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout project | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Install additional libraries | ||
| uses: ./.github/actions/install-packages | ||
|
|
||
| - name: Node version ${{ env.NODE_VERSION }} | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: ${{ env.NODE_VERSION }} | ||
|
|
||
| - run: npm install | ||
| - name: Create SBOM with CycloneDX | ||
| run: npx @cyclonedx/cyclonedx-npm -o bom.xml --of=XML | ||
|
|
||
| - name: Get the current project version from package.json | ||
| id: get-version | ||
| run: | | ||
| echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Publish SBOM to Dependency-Track | ||
| uses: DependencyTrack/gh-upload-sbom@v3 | ||
| with: | ||
| serverhostname: ${{ secrets.DEPENDENCYTRACK_HOSTNAME }} | ||
| apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }} | ||
| projectname: 'Kuzzle SDK JavaScript' | ||
| projectversion: '${{ steps.get-version.outputs.version }}' | ||
| bomfilename: "./bom.xml" | ||
| autocreate: true No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To fix the problem, add a permissions: block explicitly specifying the minimal required permissions for the workflow's context. In most publish/read-only SBOM scenarios, contents: read is sufficient, as the job does not need to write to the repository, only to read its contents. This block can be placed at the top level (before jobs:), which will apply to all jobs in the workflow unless overridden, or just to the job in question. Since only one job is present, either position is acceptable, but placing it at the top level both makes intent clear and allows for future extensibility. The best and minimal way is to insert the following immediately after the name: line (line 1):
permissions:
contents: readNo further changes, imports, or definitions are required.
| @@ -1,4 +1,6 @@ | ||
| name: Dtrack SBOM publish | ||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| NODE_VERSION: "24" |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Checkout project | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
The new release SBOM workflow references actions/checkout@v6, but that action is only published up to v4 in this repo’s other workflows; using an unpublished tag causes GitHub to fail the job before the repository is even checked out, so every release/prerelease event will abort before generating or uploading the SBOM.
Useful? React with 👍 / 👎.
| - name: Node version ${{ env.NODE_VERSION }} | ||
| uses: actions/setup-node@v6 |
There was a problem hiding this comment.
The same workflow calls actions/setup-node@v6, while the supported tags used elsewhere in the repo are v4; GitHub will error resolving this version, preventing Node from being set up and blocking SBOM generation on every release/prerelease run.
Useful? React with 👍 / 👎.
|
🎉 This PR is included in version 7.17.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Overview
PR that add SBOM upload to our dtrack instance