chore: add sbom generation and upload workflow#3707
Open
lukpueh wants to merge 1 commit intoeclipse-hono:masterfrom
Open
chore: add sbom generation and upload workflow#3707lukpueh wants to merge 1 commit intoeclipse-hono:masterfrom
lukpueh wants to merge 1 commit intoeclipse-hono:masterfrom
Conversation
Adds stand-alone workflow to automatically generate and publish an SBOM following a push of a tag, e.g. in the Jenkins release pipeline. The workflow can also be triggered manually (workflow_dispatch event) for testing, or to generate SBOMs for previous release tags. Signed-off-by: Lukas Puehringer <lukas.puehringer@eclipse-foundation.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR aims to bootstrap the EF Security Team initiative of generating and publishing SBOMs for project releases, with the goal of enhancing software supply chain security.
To not interfere with your existing release processes, this PR proposes a new workflow to generate and publish SBOMs autonomously, following the push of a tag, e.g. coming from the Jenkins release pipeline.
In addition to the release event, the workflow can be triggered manually to test SBOM generation, or to generate SBOMs for past releases.
Following a workflow run, the EF self-service system automatically publishes the SBOM on our DependencyTrack instance, under the Eclipse Hono → hono entry. To view the uploaded results, you can log into DependencyTrack by using your EF account credentials.
If the PR is merged, we kindly ask you to run the workflow once, so that we can confirm a successful SBOM upload from your repository. You can find instructions to trigger a workflow manually in the GitHub documentation:
2.6.0Also note that edits by maintainers are enabled for this PR, so feel free to update the workflow as you see fit, and do let us know if you have any questions!
More details about our SBOM Early Adopters initiative at EF can be found in our Security Handbook.