chore: add sbom generation and upload workflow #230
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds stand-alone GitHub Action workflow to automatically generate and publish an aggregate SBOM for org.eclipse.jgit-parent, following a push of a release tag. The workflow can also be triggered manually (workflow_dispatch event) for testing, or to generate SBOMs for previous release tags. Signed-off-by: Lukas Puehringer <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to bootstrap the EF Security Team initiative of generating and publishing SBOMs for project releases, with the goal of enhancing software supply chain security.
To not interfere with your existing release processes, this PR proposes a new workflow to generate and publish SBOMs autonomously, following release tag pushes for the JGit product. The workflow respects the existing SBOM plugin configuration in
pom.xml, which is updated to use the latest SBOM schema version.1In addition to the release event, the workflow can be triggered manually to test SBOM generation, or to generate SBOMs for past releases.
Following a workflow run, the EF self-service system automatically publishes the SBOM on our DependencyTrack instance, under the Eclipse JGit → JGit entry. To view the uploaded results, you can log into DependencyTrack by using your EF account credentials.
If the PR is merged, we kindly ask you to run the workflow once, so that we can confirm a successful SBOM upload from your repository. You can find instructions to trigger a workflow manually in the GitHub documentation:
Also note that edits by maintainers are enabled for this PR, so feel free to update the workflow as you see fit, and do let us know if you have any questions!
More details about our SBOM Early Adopters initiative at EF can be found in our Security Handbook.
Footnotes
We recommend removing the SBOM configuration from
pom.xml, and defining necessary (non-default) options only in the new workflow to avoid surprising behaviour. Removing the configuration inpom.xmlalso fixes a bug, which currently generates an aggregate SBOM for each module. ↩