feat(sbom): add SBOM attestation cache pipeline#693
feat(sbom): add SBOM attestation cache pipeline#693castrojo merged 4 commits intoprojectbluefin:mainfrom
Conversation
- Rewrite update-sbom-cache.yml: use actions/cache/save instead of git commit+push; drop contents:write permission (now contents:read) - Add incremental restore of existing SBOM cache before fetch so only changed streams are re-fetched - Update pages.yml restore-keys: add github-data-sbom- prefix so the site build picks up SBOM data from the update-sbom-cache workflow - Remove /static/data/sbom-attestations.json seed file exception from .gitignore — data files are runtime-only, not committed - Add src/types/sbom-attestations.d.ts ambient module declaration so tsc resolves @site/static/data/sbom-attestations.json without the file existing locally Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…tag enforcement
- verifyAttestation: unexpected tooling/auth failures now return present:null
with errorKind:'tooling' instead of present:true — callers can distinguish
'no attestation' (present:false) from tooling errors (present:null)
- verifyAttestation: parse only stdout for NDJSON attestation bundles; stderr
carries status text ('Verification OK') that must not be treated as JSON
- fetchAllPackageVersions: rethrow Packages API errors so callers can fall back
to the existing cache instead of silently receiving an empty version list and
wiping all releases for that stream
- findRecentTagsForStream: enforce canonical tag matching — only exact
'<streamPrefix>-YYYYMMDD' tags are accepted; non-canonical variants like
lts-hwe-testing-20260331 previously collapsed into the canonical cache key
and could silently overwrite valid entries
Assisted-by: Claude Sonnet 4.6 via GitHub Copilot
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- fetch-github-images.js: latestFeedItem() was aliasing stream 'stable-daily' to 'stable', causing stable-daily image cards to show stable release metadata. Now returns null so callers render unknown values — no feed exists for daily. - docs/devcontainers.md: add 'json' language specifier to fenced code block (MD040 lint fix) for the Dev Containers podman settings snippet. Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several improvements to the build and documentation processes, including better handling of 'stable-daily' image feeds, stricter canonical tag enforcement in SBOM scripts, and improved error handling during API failures. It also adds a TypeScript declaration for the SBOM attestation cache to satisfy compiler checks. However, the review identified two critical issues in scripts/fetch-github-sbom.js: first, rethrowing an error in fetchAllPackageVersions currently leads to the cache being cleared rather than preserved as intended; second, the introduction of present: null and errorKind is inconsistent with the existing AttestationResult interface, which will cause build-time type errors and data loss.
| // Rethrow so the caller (main) can preserve existing cache for this package | ||
| // rather than silently returning an empty result and clearing all releases. | ||
| throw new Error( | ||
| `Packages API page ${page} for ${org}/${pkg} failed: ${err.message}`, | ||
| ); |
There was a problem hiding this comment.
The comment on line 162 states that rethrowing allows the caller to preserve the existing cache. However, the main function (at line 731) catches this error and sets the package versions to an empty array (allVersionsByPackage.set(key, [])). This causes processStream to proceed with zero releases, effectively clearing the cache for all streams associated with that package. To achieve the stated goal of preserving the cache, the main function should be updated to skip processing or handle the error without clearing the package entry.
| present: null, | ||
| verified: false, | ||
| predicateType: null, | ||
| errorKind: "tooling", | ||
| error: String(err.stderr || err.message), |
There was a problem hiding this comment.
The use of present: null and the addition of errorKind: "tooling" are inconsistent with the AttestationResult interface defined in src/types/sbom.ts, where present is a boolean and errorKind is not defined. Furthermore, errorKind is currently discarded during the reconstruction of the attestation object in processStream (line 628). This will cause type errors during build-time checks and results in the loss of the error classification data. The AttestationResult interface and the processStream function should be updated to support these new fields.
…ationResult type Issue 1: fetchAllPackageVersions error path previously set allVersionsByPackage to an empty array, causing processStream to emit zero releases and clear the cache for all streams. Fix: leave the key absent on failure; processStream now detects the missing key and returns the existing cache entry instead. Issue 2: verifyAttestation returns present:null and errorKind:"tooling" for tooling/registry/auth failures, but AttestationResult had present:boolean (no null) and no errorKind field. The processStream reconstruction also silently dropped errorKind. Fix: widen present to boolean|null, add optional errorKind:"tooling" field to the interface, and propagate errorKind through the reconstruction spread. Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
castrojo
changed the title
1 participant
No description provided.