Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add improved SBOM reports #746

Merged
merged 3 commits into from
Jan 20, 2025
Merged

Add improved SBOM reports #746

merged 3 commits into from
Jan 20, 2025

Conversation

mgcm
Copy link
Contributor

@mgcm mgcm commented Jan 15, 2025

This PR improves the SBOM reporting process by:

  • adding a yarn.lock SBOM scan report within the hosted widget assets at <URL>/sbom.spdx.json
  • adding a yarn.lock SBOM scan report of the bot at /usr/local/share/doc/
  • adding an image SBOM scan report artifact to every CI build (see example)
  • adding an image SBOM scan report as a release asset when publishing a new release

✔️ Checklist

  • A changeset describing the change and affected packages (more info).
  • Added or updated documentation.
  • Tests for new functionality and regression tests for bug fixes.
  • Screenshots or videos attached (for UI changes).
  • All your commits have a Signed-off-by line in the message (more info).

Sorry, something went wrong.

@mgcm mgcm requested a review from a team January 15, 2025 16:48
Copy link

changeset-bot bot commented Jan 15, 2025

🦋 Changeset detected

Latest commit: b18159f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@nordeck/matrix-meetings-widget Patch
@nordeck/matrix-meetings-bot Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@mgcm mgcm force-pushed the nic/feat/ZO-132-improve-sbom branch 2 times, most recently from a16f704 to 75d8dc8 Compare January 15, 2025 17:00
.github/workflows/ci.yml Outdated Show resolved Hide resolved
uses: actions/upload-artifact@v4
with:
name: matrix-meetings-bot-sbom-spdx-report
path: 'matrix-meetings-bot.sbom.spdx.json'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could not see these in artifacts similar to other widgets. Am I looking wrong somehow?

Screenshot 2025-01-16 at 20 01 26

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right, they are not listed there. But they are being uploaded and the logs reference the uploaded file. I'll check if we need to adjust the artifact path because of having two builds in the same workflow.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you check again? It might have been a temporary github issue, as they are now listed:

Screenshot 2025-01-20 at 14 10 06

mgcm and others added 3 commits January 20, 2025 14:10
Signed-off-by: Milton Moura <[email protected]>

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
Signed-off-by: Milton Moura <[email protected]>
Co-authored-by: maheichyk <[email protected]>
Signed-off-by: Milton Moura <[email protected]>
@mgcm mgcm force-pushed the nic/feat/ZO-132-improve-sbom branch from 34beaa6 to b18159f Compare January 20, 2025 15:10
@mgcm mgcm requested a review from a team as a code owner January 20, 2025 15:10
@mgcm mgcm merged commit 348ac70 into main Jan 20, 2025
6 checks passed
@mgcm mgcm deleted the nic/feat/ZO-132-improve-sbom branch January 20, 2025 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants