-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add sbom generation for releases #337
chore: add sbom generation for releases #337
Conversation
@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124 |
@Kavindu-Dodan Also I think the title should be "chore" or something like that. This is a "feature" in terms of security features, but not a new functional feature in flagd in the sense of semver or compatibility. |
2b57b54
to
e297f35
Compare
Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on. [1] - https://github.com/anchore/sbom-action#basic-usage |
Oh, interesting. I think you're right based on the doc. Your plan sounds good. |
Updated the PR. I validated the workflow in a test project - Release artefcats [1] & Image scan [2]. Let's see the workflow in action once merged 🤞 [1] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/releases/tag/v0.6 |
be4c676
to
32908ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@beeme1mr could you take a look as well if you have a sec?
32908ac
to
a371a80
Compare
1af7e69
to
cbf500e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
cbf500e
to
53a57a5
Compare
@Kavindu-Dodan has contributed multiple significant changes and proposals to flagd: - multiple refactors: #291, #307 - ci/security improvements: #338, #337 - architectural proposals (some of which got some attention from outside parties!): open-feature/ofep#45, open-feature/flagd-schemas#78, #249 (comment) - load testing: #225 - documentation improvements For these reasons, I believe he should be made a CODEOWNER in this repository. NOTE: before this is merged, @Kavindu-Dodan should be added with at least `maintainer` permissions to the repo. Signed-off-by: Todd Baert <toddbaert@gmail.com>
This PR
Fixes #329
Adding SBOM generation through go releaser. SBOM is generated per archive (see image for reference).
Along with the PR, changing deprecated archive naming [1]
How to test
Install goreleaser [2] and run following command tog get artefacts & sbom generates in local dist folder
goreleaser release --skip-publish --skip-validate --rm-dist
[1] - https://goreleaser.com/deprecations/#archivesreplacements
[2] - https://goreleaser.com/install/