Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add sbom generation for releases #337

Merged
merged 2 commits into from
Jan 31, 2023

Conversation

Kavindu-Dodan
Copy link
Contributor

@Kavindu-Dodan Kavindu-Dodan commented Jan 27, 2023

This PR

Fixes #329

Adding SBOM generation through go releaser. SBOM is generated per archive (see image for reference).

Along with the PR, changing deprecated archive naming [1]

image

How to test

Install goreleaser [2] and run following command tog get artefacts & sbom generates in local dist folder

goreleaser release --skip-publish --skip-validate --rm-dist

[1] - https://goreleaser.com/deprecations/#archivesreplacements
[2] - https://goreleaser.com/install/

@Kavindu-Dodan Kavindu-Dodan changed the title add sbom generation for releases feat: add sbom generation for releases Jan 27, 2023
.goreleaser.yaml Show resolved Hide resolved
@toddbaert toddbaert self-requested a review January 30, 2023 15:19
@toddbaert
Copy link
Member

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

@toddbaert
Copy link
Member

@Kavindu-Dodan Also I think the title should be "chore" or something like that. This is a "feature" in terms of security features, but not a new functional feature in flagd in the sense of semver or compatibility.

@Kavindu-Dodan Kavindu-Dodan changed the title feat: add sbom generation for releases chore: add sbom generation for releases Jan 30, 2023
@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from 2b57b54 to e297f35 Compare January 30, 2023 17:17
@Kavindu-Dodan
Copy link
Contributor Author

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.

[1] - https://github.com/anchore/sbom-action#basic-usage
[2] - https://github.com/anchore/sbom-action#scan-a-container-image

@toddbaert
Copy link
Member

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.

[1] - https://github.com/anchore/sbom-action#basic-usage [2] - https://github.com/anchore/sbom-action#scan-a-container-image

Oh, interesting. I think you're right based on the doc.

Your plan sounds good.

@Kavindu-Dodan
Copy link
Contributor Author

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.
[1] - https://github.com/anchore/sbom-action#basic-usage [2] - https://github.com/anchore/sbom-action#scan-a-container-image

Oh, interesting. I think you're right based on the doc.

Your plan sounds good.

Updated the PR.

I validated the workflow in a test project - Release artefcats [1] & Image scan [2]. Let's see the workflow in action once merged 🤞

[1] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/releases/tag/v0.6
[2] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/actions/runs/4047491430/jobs/6961565162#step:6:18

@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from be4c676 to 32908ac Compare January 30, 2023 19:53
Copy link
Member

@toddbaert toddbaert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@beeme1mr could you take a look as well if you have a sec?

@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from 32908ac to a371a80 Compare January 30, 2023 20:39
@beeme1mr beeme1mr self-requested a review January 30, 2023 21:38
@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from 1af7e69 to cbf500e Compare January 30, 2023 23:25
Copy link
Contributor

@skyerus skyerus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
@toddbaert toddbaert force-pushed the feature/sbom-to-release branch from cbf500e to 53a57a5 Compare January 31, 2023 14:41
@toddbaert toddbaert merged commit ffb8dc1 into open-feature:main Jan 31, 2023
beeme1mr pushed a commit that referenced this pull request Feb 7, 2023
@Kavindu-Dodan has contributed multiple significant changes and
proposals to flagd:

- multiple refactors: #291,
#307
- ci/security improvements:
#338,
#337
- architectural proposals (some of which got some attention from outside
parties!): open-feature/ofep#45,
open-feature/flagd-schemas#78,
#249 (comment)
- load testing: #225
- documentation improvements

For these reasons, I believe he should be made a CODEOWNER in this
repository.

NOTE: before this is merged, @Kavindu-Dodan should be added with at
least `maintainer` permissions to the repo.

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[FEATURE] Add SBOM to release
4 participants