fix: use short git hash for SBOM version and update bom-ref consistently#112
fix: use short git hash for SBOM version and update bom-ref consistently#112vpetersson merged 8 commits intomasterfrom
Conversation
- Update CI workflow to use 7-char short SHA for COMPONENT_VERSION in staging builds instead of full 40-char SHA - Update _update_component_purl_version() to also update bom-ref when it contains the old version, ensuring consistency between component.version, component.purl, and component.bom_ref
There was a problem hiding this comment.
Pull request overview
This PR updates the SBOM generation workflow to use shorter git commit hashes and ensures consistency between component version fields. The changes address version string length and synchronization issues in SBOM metadata.
Changes:
- Modified CI workflow to use 7-character short SHA instead of full 40-character SHA for staging build versions
- Enhanced
_update_component_purl_version()to also updatebom-refwhen it contains version information, maintaining consistency across component version, PURL, and bom-ref fields
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/sbomify.yaml | Added version determination step to generate short SHA and updated COMPONENT_VERSION to use it |
| sbomify_action/augmentation.py | Extended version update logic to handle bom-ref updates alongside PURL updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address PR review feedback by using replace(..., 1) to prevent unintended replacements if the version string appears multiple times in the bom-ref.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace fragile string replacement with proper PURL parsing when updating bom-ref versions. This validates the bom-ref is actually a PURL and reconstructs it safely with the new version. Addresses PR review feedback.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Follow PEP 8 style guidelines by moving the BomRef import to the module level instead of inside the function.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Return early with debug log when component PURL has no version, making the code flow more explicit and preventing silent failures.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Avoid unnecessary variable assignment when returning early due to missing PURL version.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1 participant
in staging builds instead of full 40-char SHA
when it contains the old version, ensuring consistency between
component.version, component.purl, and component.bom_ref