feat!: per-API-group SBOMs with serialNumber tracking#5
Merged
Conversation
…ovenance
BREAKING CHANGE: the top-level schemas/sbom.cdx.json is removed. SBOMs are
now generated per CRD API group at schemas/{group}/sbom.cdx.json, co-located
with the extracted schemas for that group.
Each SBOM now includes:
- serialNumber (URN UUID v4) that persists across regenerations
- version field that increments on each rewrite (audit trail)
- component Properties with crd-schemas: namespaced provenance metadata
(source type, repo, url, chart)
Change detection compares source component names and versions against the
existing SBOM. A source version bump with unchanged schemas still produces
a version bump in the SBOM, creating a traceable record of upstream changes.
A single source producing CRDs for multiple API groups (e.g. crossplane)
results in separate SBOMs in each group directory, each containing the
source as a component.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign the goreleaser checksums.txt with Sigstore cosign in keyless mode,
using GitHub Actions OIDC identity. The .bundle file is uploaded to the
release alongside the existing artifacts.
Verification:
cosign verify-blob --bundle checksums.txt.bundle \
--certificate-identity-regexp="github.com/blacksd/crd-schema-extractor" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
checksums.txt
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The autolabeler only runs when release-drafter executes. Without a pull_request trigger, PR titles are never matched against the labeling rules, so labels like 'major' from conventional commit '!' syntax are never applied. Add pull_request trigger with relevant event types and pull-requests write permission so the autolabeler can label PRs when they are opened or updated. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sbom.cdx.jsonwith per-CRD-API-group SBOMs atschemas/{group}/sbom.cdx.jsonserialNumber(URN UUID v4, stable across regenerations) andversiontracking (incremented on each rewrite)Propertieswithcrd-schemas:namespace prefix (type, repo, url, chart)BREAKING CHANGE:
schemas/sbom.cdx.jsonis removed. Consumers must look forschemas/{group}/sbom.cdx.jsoninstead.Changed files
internal/sbom/sbom.goState,LoadExisting,HasChanged,newSerialNumber; updatedGenerateto accept existing stateinternal/sbom/sbom_test.gocmd/crd-schema-extractor/extract.go.github/workflows/test.ymlTest plan
go test ./internal/sbom/... -v)-race(go test ./... -race)go vet ./...clean