-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish SBOM for Each Release #69
Comments
@anthonyharrison, is there an example repo where you do this already? |
@jspeed-meyers There is a GitHub action here which publishes an SBOM every week to the github repository. We publish a separate SBOM for each version of Python which is supported because there are different dependency requirements depending on the Python version being used. There may also be different dependencies related to the target architecture and operating system but I don't think this applies for this project. |
Thank you, @anthonyharrison. That's useful. One of the "requirements" (air quotes, because I am making this up as I go along) I created for this task is to publish the created SBOM to the GitHub releases page. IIUC, the Action in the project you highlighted publishes into the project repository. Both are sensible, but my preference is to only create SBOMs for releases. One of Anchore's actions for I was thinking of trying that action out instead of that approach since the Anchore action default behavior is to release an SBOM to the GH Action release page, though I would prefer to use the sbom4python tool since you are the creator of it and so can help troublesboot. Any objections or thoughts? |
@jspeed-meyers I am not very good with GH actions. But I think if you modify the on action to be on the prelease event rather than on a schedule and find a way to copy the SBOMs to a release (I still think it is worth storing in the repo BTW), then I think you will be there. |
This might simplify this task: https://github.com/marketplace/actions/sbom-generator-action |
I am going to close this issue because (A) I don't see evidence that an SBOM associated with the release would benefit anyone and (B) I don't know a simple and reliable way to generate this SBOM. Reader, please re-open this issue if such an SBOM would benefit you or if you know of a simple and reliable way to do this. |
Requirements:
cc @anthonyharrison
The text was updated successfully, but these errors were encountered: