-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Software Bill of Material (SBOM) as part of the release #22054
base: 5.x-dev
Are you sure you want to change the base?
Conversation
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
How can we test this? We'd need to merge it and then see what happens on the next release? Or do a draft PR just with the SBOM generation and test that by running the action manually without all the actual release stuff? |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
@michalkleiner I can do a demo on my fork. |
@michalkleiner I created a release in my fork but the file doesn't make it to the end package |
01f097f
to
4ddec64
Compare
@michalkleiner fixed. You can see it in action here: https://github.com/LaurentGoderre/matomo/releases |
Thanks for the link @LaurentGoderre. I'll put the JSON the tool generates here from one of your release archives. I'm not sure if things like github actions should be included, what can be configured, what should or shouldn't be in the SBOM. Maybe we need to have a discussion with @matomo-org/core-reviewers on this. |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
@mneudert do you know who to tag for this? |
Description:
Create an SBOM to include in the release to preserve dependency information.
POC here:
https://github.com/LaurentGoderre/sbom-ci-test
https://github.com/LaurentGoderre/sbom-ci-test/actions/runs/8452612627
Alternative to #22048
Review