Skip to content

Add SPDX SBOM generation to build-and-publish workflow#905

Open
Rimsha2535 wants to merge 2 commits into
mainfrom
feature/882-spdx-sbom-generation
Open

Add SPDX SBOM generation to build-and-publish workflow#905
Rimsha2535 wants to merge 2 commits into
mainfrom
feature/882-spdx-sbom-generation

Conversation

@Rimsha2535

Copy link
Copy Markdown
Contributor

Fixes #882

Checklist

Note: If any of the items in the checklist are not relevant to your PR, just check the box.

For any Pull Request

Is the following correct:

  • the title of the Pull Request?
  • the title of the corresponding issue?
  • there are no other open Pull Requests for the same update/change?
  • that the issue which this Pull Request fixes ("Fixes...") is mentioned?

When Changes Were Made

Did you:

  • update the changelog?
  • update the cookiecutter-template?
  • update the implementation?
  • check coverage and add tests: unit tests and, if relevant, integration tests?
  • update the User Guide & other documentation?
  • resolve any failing CI criteria (incl. Sonar quality gate)?

When Preparing a Release

Have you:

  • thought about version number (major, minor, patch)?
  • checked Exasol packages for updates and resolved open vulnerabilities, if easily possible?

Notes

  • Changelog was not updated because this is an internal workflow change.
  • No tests were added as this is a workflow template change.

@Rimsha2535 Rimsha2535 force-pushed the feature/882-spdx-sbom-generation branch from 41ef585 to 5f8530e Compare June 29, 2026 21:41
@sonarqubecloud

Copy link
Copy Markdown

@Rimsha2535 Rimsha2535 requested a review from ArBridgeman June 30, 2026 15:16
@ArBridgeman

Copy link
Copy Markdown
Collaborator

@codex

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a5991b5713

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

id: generate-sbom
run: |
pip install cyclonedx-bom
cyclonedx-py environment -o bom.cdx.json

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Run SBOM generation in the Poetry environment

Generated projects install their dependencies through the shared action with plain poetry install, which leaves them in Poetry's virtualenv and is only entered via poetry run later in the action. This command is executed after a plain pip install cyclonedx-bom, so cyclonedx-py environment scans the runner Python environment containing the SBOM tool instead of the project environment that was just built; releases will upload an SPDX file that omits the package/dependencies it is supposed to describe. Generate the SBOM from the Poetry environment or from the lock file instead.

Useful? React with 👍 / 👎.

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v9
uses: exasol/python-toolbox/.github/actions/python-environment@v10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep self-release workflows on an existing action ref

For this repository's own 10.0.0 release, release:trigger pushes the version tag first and only pushes the v10 major tag afterwards (exasol/toolbox/nox/_release.py lines 100-106, with create_major_version_tags=True). The CD workflow is triggered by that first tag, so this job can try to resolve exasol/python-toolbox/...@v10 before v10 exists and abort the release during the pre-check. The self-release workflows should keep using an already-existing ref (or the local action) until after the major tag is available.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SPDX SBOM generation

2 participants