Create Software Bill of Material (SBOM) as part of the release #22054
Conversation
|
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
github-actions
bot
added
the
Stale
|
How can we test this? We'd need to merge it and then see what happens on the next release? Or do a draft PR just with the SBOM generation and test that by running the action manually without all the actual release stuff? |
github-actions
bot
removed
the
Stale
|
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
github-actions
bot
added
the
Stale
|
@michalkleiner I can do a demo on my fork. |
github-actions
bot
removed
the
Stale
michalkleiner
added
the
Do not close
|
@michalkleiner I created a release in my fork but the file doesn't make it to the end package |
LaurentGoderre
force-pushed
the
sbom-in-release
branch
from
01f097f
to
4ddec64
Compare
|
@michalkleiner fixed. You can see it in action here: https://github.com/LaurentGoderre/matomo/releases |
|
Thanks for the link @LaurentGoderre. I'll put the JSON the tool generates here from one of your release archives. I'm not sure if things like github actions should be included, what can be configured, what should or shouldn't be in the SBOM. Maybe we need to have a discussion with @matomo-org/core-reviewers on this. |
|
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
github-actions
bot
added
Stale
|
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
github-actions
bot
added
Stale
Description:
Create an SBOM to include in the release to preserve dependency information.
POC here:
https://github.com/LaurentGoderre/sbom-ci-test
https://github.com/LaurentGoderre/sbom-ci-test/actions/runs/8452612627
Alternative to #22048
Review