Add SPDX SBOM generation to build-and-publish workflow#905
Conversation
41ef585 to
5f8530e
Compare
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a5991b5713
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| id: generate-sbom | ||
| run: | | ||
| pip install cyclonedx-bom | ||
| cyclonedx-py environment -o bom.cdx.json |
There was a problem hiding this comment.
Run SBOM generation in the Poetry environment
Generated projects install their dependencies through the shared action with plain poetry install, which leaves them in Poetry's virtualenv and is only entered via poetry run later in the action. This command is executed after a plain pip install cyclonedx-bom, so cyclonedx-py environment scans the runner Python environment containing the SBOM tool instead of the project environment that was just built; releases will upload an SPDX file that omits the package/dependencies it is supposed to describe. Generate the SBOM from the Poetry environment or from the lock file instead.
Useful? React with 👍 / 👎.
| - name: Set up Python & Poetry Environment | ||
| id: set-up-python-and-poetry-environment | ||
| uses: exasol/python-toolbox/.github/actions/python-environment@v9 | ||
| uses: exasol/python-toolbox/.github/actions/python-environment@v10 |
There was a problem hiding this comment.
Keep self-release workflows on an existing action ref
For this repository's own 10.0.0 release, release:trigger pushes the version tag first and only pushes the v10 major tag afterwards (exasol/toolbox/nox/_release.py lines 100-106, with create_major_version_tags=True). The CD workflow is triggered by that first tag, so this job can try to resolve exasol/python-toolbox/...@v10 before v10 exists and abort the release during the pre-check. The self-release workflows should keep using an already-existing ref (or the local action) until after the major tag is available.
Useful? React with 👍 / 👎.



Fixes #882
Checklist
Note: If any of the items in the checklist are not relevant to your PR, just check the box.
For any Pull Request
Is the following correct:
When Changes Were Made
Did you:
When Preparing a Release
Have you:
Notes