Add 5 SBOM generation and upload workflows for webui, server and cli#1684
Open
lukpueh wants to merge 2 commits intoeclipse:masterfrom
Open
Add 5 SBOM generation and upload workflows for webui, server and cli#1684lukpueh wants to merge 2 commits intoeclipse:masterfrom
lukpueh wants to merge 2 commits intoeclipse:masterfrom
Conversation
* Adds two workflows to generate SBOMs from webui and server docker images using 'anchore/sbom-action' on 'registry_package' events (i.e. when an image is published in the registry). * Adds one workflow to genrate an SBOM for the server gradle build using the CycloneDX Gradle plugin injected via init script on version tag pushes. * All workflows can also be triggered with workflow_dispatch for backfilling and testing. * SBOMs are uploaded to sbom-staging.eclipse.org via pia-staging.eclipse.org. * Upload logic is extracted into a reusable composite action * Using separate workflows per SBOM upload is currently required by PIA (as it would be by Otterdog). It also makes the workflows simpler, with only little code repetition. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Lukas Puehringer <lukas.puehringer@eclipse-foundation.org>
Split generate-yarn-sboms.yml from eclipse#1640 into two separate workflows. Key changes from the original: - Two instead of one workflows. This is currently required by PIA (and would be required by Otterdog). It leads to some code repetition, but removes case handling. - Triggers on tag push (cli-*, webui-*) instead of release events. This simplifies conditional job run and tag name extraction. - Does not strip the webui-/cli- prefix from the version string sent to PIA/DependencyTrack. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Lukas Puehringer <lukas.puehringer@eclipse-foundation.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Friendly take-over of #1640. @iliescuioana, please pre-review before I remove the draft label.
Adds workflows to generate SBOMs and upload them sbom-staging.eclipse.org via pia-staging.eclipse.org.
Added workflows:
See commit message for details.