Add github-release package type
#418
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jkowalleck
previously approved these changes
Mar 18, 2025
|
like the idea. lets think about how a specific file from a release could be pointed out. lets use this as an example: https://github.com/package-url/packageurl-python/releases/tag/v0.16.0
couldyou add those to the spec? |
jkowalleck
previously approved these changes
Mar 18, 2025
This is a good call out! I've added a |
|
I like this type. Maybe we expand this a bit and document the various qualifiers including mandatory ones as well. Required properties as per github Full release schema {
"title": "Release",
"description": "A release.",
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri"
},
"html_url": {
"type": "string",
"format": "uri"
},
"assets_url": {
"type": "string",
"format": "uri"
},
"upload_url": {
"type": "string"
},
"tarball_url": {
"type": [
"string",
"null"
],
"format": "uri"
},
"zipball_url": {
"type": [
"string",
"null"
],
"format": "uri"
},
"id": {
"type": "integer"
},
"node_id": {
"type": "string"
},
"tag_name": {
"description": "The name of the tag.",
"type": "string",
"examples": [
"v1.0.0"
]
},
"target_commitish": {
"description": "Specifies the commitish value that determines where the Git tag is created from.",
"type": "string",
"examples": [
"master"
]
},
"name": {
"type": [
"string",
"null"
]
},
"body": {
"type": [
"string",
"null"
]
},
"draft": {
"description": "true to create a draft (unpublished) release, false to create a published one.",
"type": "boolean",
"examples": [
false
]
},
"prerelease": {
"description": "Whether to identify the release as a prerelease or a full release.",
"type": "boolean",
"examples": [
false
]
},
"created_at": {
"type": "string",
"format": "date-time"
},
"published_at": {
"type": [
"string",
"null"
],
"format": "date-time"
},
"author": {
"title": "Simple User",
"description": "A GitHub user.",
"type": "object",
"properties": {
"name": {
"type": [
"string",
"null"
]
},
"email": {
"type": [
"string",
"null"
]
},
"login": {
"type": "string",
"examples": [
"octocat"
]
},
"id": {
"type": "integer",
"format": "int64",
"examples": [
1
]
},
"node_id": {
"type": "string",
"examples": [
"MDQ6VXNlcjE="
]
},
"avatar_url": {
"type": "string",
"format": "uri",
"examples": [
"https://github.com/images/error/octocat_happy.gif"
]
},
"gravatar_id": {
"type": [
"string",
"null"
],
"examples": [
"41d064eb2195891e12d0413f63227ea7"
]
},
"url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat"
]
},
"html_url": {
"type": "string",
"format": "uri",
"examples": [
"https://github.com/octocat"
]
},
"followers_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/followers"
]
},
"following_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/following{/other_user}"
]
},
"gists_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/gists{/gist_id}"
]
},
"starred_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/starred{/owner}{/repo}"
]
},
"subscriptions_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/subscriptions"
]
},
"organizations_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/orgs"
]
},
"repos_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/repos"
]
},
"events_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/events{/privacy}"
]
},
"received_events_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/received_events"
]
},
"type": {
"type": "string",
"examples": [
"User"
]
},
"site_admin": {
"type": "boolean"
},
"starred_at": {
"type": "string",
"examples": [
"\"2020-07-09T00:17:55Z\""
]
},
"user_view_type": {
"type": "string",
"examples": [
"public"
]
}
},
"required": [
"avatar_url",
"events_url",
"followers_url",
"following_url",
"gists_url",
"gravatar_id",
"html_url",
"id",
"node_id",
"login",
"organizations_url",
"received_events_url",
"repos_url",
"site_admin",
"starred_url",
"subscriptions_url",
"type",
"url"
]
},
"assets": {
"type": "array",
"items": {
"title": "Release Asset",
"description": "Data related to a release.",
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri"
},
"browser_download_url": {
"type": "string",
"format": "uri"
},
"id": {
"type": "integer"
},
"node_id": {
"type": "string"
},
"name": {
"description": "The file name of the asset.",
"type": "string",
"examples": [
"Team Environment"
]
},
"label": {
"type": [
"string",
"null"
]
},
"state": {
"description": "State of the release asset.",
"type": "string",
"enum": [
"uploaded",
"open"
]
},
"content_type": {
"type": "string"
},
"size": {
"type": "integer"
},
"download_count": {
"type": "integer"
},
"created_at": {
"type": "string",
"format": "date-time"
},
"updated_at": {
"type": "string",
"format": "date-time"
},
"uploader": {
"anyOf": [
{
"type": "null"
},
{
"title": "Simple User",
"description": "A GitHub user.",
"type": "object",
"properties": {
"name": {
"type": [
"string",
"null"
]
},
"email": {
"type": [
"string",
"null"
]
},
"login": {
"type": "string",
"examples": [
"octocat"
]
},
"id": {
"type": "integer",
"format": "int64",
"examples": [
1
]
},
"node_id": {
"type": "string",
"examples": [
"MDQ6VXNlcjE="
]
},
"avatar_url": {
"type": "string",
"format": "uri",
"examples": [
"https://github.com/images/error/octocat_happy.gif"
]
},
"gravatar_id": {
"type": [
"string",
"null"
],
"examples": [
"41d064eb2195891e12d0413f63227ea7"
]
},
"url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat"
]
},
"html_url": {
"type": "string",
"format": "uri",
"examples": [
"https://github.com/octocat"
]
},
"followers_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/followers"
]
},
"following_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/following{/other_user}"
]
},
"gists_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/gists{/gist_id}"
]
},
"starred_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/starred{/owner}{/repo}"
]
},
"subscriptions_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/subscriptions"
]
},
"organizations_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/orgs"
]
},
"repos_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/repos"
]
},
"events_url": {
"type": "string",
"examples": [
"https://api.github.com/users/octocat/events{/privacy}"
]
},
"received_events_url": {
"type": "string",
"format": "uri",
"examples": [
"https://api.github.com/users/octocat/received_events"
]
},
"type": {
"type": "string",
"examples": [
"User"
]
},
"site_admin": {
"type": "boolean"
},
"starred_at": {
"type": "string",
"examples": [
"\"2020-07-09T00:17:55Z\""
]
},
"user_view_type": {
"type": "string",
"examples": [
"public"
]
}
},
"required": [
"avatar_url",
"events_url",
"followers_url",
"following_url",
"gists_url",
"gravatar_id",
"html_url",
"id",
"node_id",
"login",
"organizations_url",
"received_events_url",
"repos_url",
"site_admin",
"starred_url",
"subscriptions_url",
"type",
"url"
]
}
]
}
},
"required": [
"id",
"name",
"content_type",
"size",
"state",
"url",
"node_id",
"download_count",
"label",
"uploader",
"browser_download_url",
"created_at",
"updated_at"
]
}
},
"body_html": {
"type": "string"
},
"body_text": {
"type": "string"
},
"mentions_count": {
"type": "integer"
},
"discussion_url": {
"description": "The URL of the release discussion.",
"type": "string",
"format": "uri"
},
"reactions": {
"title": "Reaction Rollup",
"type": "object",
"properties": {
"url": {
"type": "string",
"format": "uri"
},
"total_count": {
"type": "integer"
},
"+1": {
"type": "integer"
},
"-1": {
"type": "integer"
},
"laugh": {
"type": "integer"
},
"confused": {
"type": "integer"
},
"heart": {
"type": "integer"
},
"hooray": {
"type": "integer"
},
"eyes": {
"type": "integer"
},
"rocket": {
"type": "integer"
}
},
"required": [
"url",
"total_count",
"+1",
"-1",
"laugh",
"confused",
"heart",
"hooray",
"eyes",
"rocket"
]
}
},
"required": [
"assets_url",
"upload_url",
"tarball_url",
"zipball_url",
"created_at",
"published_at",
"draft",
"id",
"node_id",
"author",
"html_url",
"name",
"prerelease",
"tag_name",
"target_commitish",
"assets",
"url"
]
} |
|
@prabhu I don't think its necessary capture all of the release's properties in the PURL. As long as there is enough information to uniquely identify a specific GitHub release we should be good. |
|
Github Releases are mutable though. I can remove and reupload a new artifact with the same name. I think requiring the SHA256 or upload timestamp would be beneficial. |
|
@jaimergp it turns out that the feature I'm working (the one which inspired the need for this new purl type) is to make releases immutable. When used in that context, the repo and tag should be sufficient to uniquely identify the release. Perhaps an optional |
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
bdehamer
force-pushed
the
bdehamer/github-release
branch
from
2804d56 to
56783d3
Compare
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
bdehamer
force-pushed
the
bdehamer/github-release
branch
from
56783d3 to
4975be7
Compare
|
@jaimergp I documented the |
> When percent-encoding is required, all characters MUST be encoded except for the colon ':'.
fix examples for `github-release` examples > When percent-encoding is required, all characters MUST be encoded except for the colon ':'.
jkowalleck
approved these changes
Apr 4, 2025
|
Hey, I posted some comment in #299 (comment) ... I need to think more about that one and how we can discover a release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Per: #299
Introduces a new
github-releasepackage type for identifying specific GitHub Releases.There is some overlap here with the existing
githubpackage type -- in theory you can point to a GitHub release today with agithubpackage type be identifying the release's tag:However, there may come a time when GitHub releases are decoupled from git tags and it would be helpful to have a way to disambiguate between a plain ol' GitHub repository tag and a named GitHub Release:
The most immediate use case for this is in the context of in-toto release predicates where we need to be able to identify a specific GitHub release using a purl.