Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add sbom generation for releases #337

Merged
merged 2 commits into from
Jan 31, 2023
Merged

chore: add sbom generation for releases #337

merged 2 commits into from
Jan 31, 2023

Conversation

Kavindu-Dodan
Copy link
Contributor

@Kavindu-Dodan Kavindu-Dodan commented Jan 27, 2023
edited

This PR

Fixes #329

Adding SBOM generation through go releaser. SBOM is generated per archive (see image for reference).

Along with the PR, changing deprecated archive naming [1]

image

How to test

Install goreleaser [2] and run following command tog get artefacts & sbom generates in local dist folder

goreleaser release --skip-publish --skip-validate --rm-dist

[1] - https://goreleaser.com/deprecations/#archivesreplacements
[2] - https://goreleaser.com/install/

@Kavindu-Dodan Kavindu-Dodan changed the title add sbom generation for releases feat: add sbom generation for releases Jan 27, 2023
toddbaert
toddbaert approved these changes Jan 30, 2023
View reviewed changes
.goreleaser.yaml Show resolved Hide resolved
@toddbaert toddbaert self-requested a review January 30, 2023 15:19
@toddbaert
Copy link
Member

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

@toddbaert
Copy link
Member

@Kavindu-Dodan Also I think the title should be "chore" or something like that. This is a "feature" in terms of security features, but not a new functional feature in flagd in the sense of semver or compatibility.

@Kavindu-Dodan Kavindu-Dodan changed the title feat: add sbom generation for releases chore: add sbom generation for releases Jan 30, 2023
@Kavindu-Dodan
Copy link
Contributor Author

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.

[1] - https://github.com/anchore/sbom-action#basic-usage
[2] - https://github.com/anchore/sbom-action#scan-a-container-image

@toddbaert
Copy link
Member

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.

[1] - https://github.com/anchore/sbom-action#basic-usage [2] - https://github.com/anchore/sbom-action#scan-a-container-image

Oh, interesting. I think you're right based on the doc.

Your plan sounds good.

@Kavindu-Dodan
Copy link
Contributor Author

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.
[1] - https://github.com/anchore/sbom-action#basic-usage [2] - https://github.com/anchore/sbom-action#scan-a-container-image

Oh, interesting. I think you're right based on the doc.

Your plan sounds good.

Updated the PR.

I validated the workflow in a test project - Release artefcats [1] & Image scan [2]. Let's see the workflow in action once merged 🤞

[1] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/releases/tag/v0.6
[2] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/actions/runs/4047491430/jobs/6961565162#step:6:18

toddbaert
toddbaert approved these changes Jan 30, 2023
View reviewed changes
Copy link
Member

@toddbaert toddbaert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@beeme1mr could you take a look as well if you have a sec?

@beeme1mr beeme1mr self-requested a review January 30, 2023 21:38
skyerus
skyerus approved these changes Jan 31, 2023
View reviewed changes
Copy link
Contributor

@skyerus skyerus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@Kavindu-Dodan @toddbaert
add sbom generation for releases
16cbdc6 
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
@Kavindu-Dodan @toddbaert
syfy dep and sbom for image
53a57a5 
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
@toddbaert toddbaert merged commit ffb8dc1 into open-feature:main Jan 31, 2023
@toddbaert toddbaert mentioned this pull request Feb 6, 2023
Merged
beeme1mr pushed a commit that referenced this pull request Feb 7, 2023
@toddbaert
chore: add @Kavindu-Dodan to CODEOWNERS (#377)
e02c899 
@Kavindu-Dodan has contributed multiple significant changes and
proposals to flagd:

- multiple refactors: #291,
#307
- ci/security improvements:
#338,
#337
- architectural proposals (some of which got some attention from outside
parties!): open-feature/ofep#45,
open-feature/flagd-schemas#78,
#249 (comment)
- load testing: #225
- documentation improvements

For these reasons, I believe he should be made a CODEOWNER in this
repository.

NOTE: before this is merged, @Kavindu-Dodan should be added with at
least `maintainer` permissions to the repo.

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@beeme1mr beeme1mr beeme1mr approved these changes

@toddbaert toddbaert toddbaert approved these changes

@skyerus skyerus skyerus approved these changes

@AlexsJones AlexsJones Awaiting requested review from AlexsJones

@james-milligan james-milligan Awaiting requested review from james-milligan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FEATURE] Add SBOM to release
4 participants
@Kavindu-Dodan @toddbaert @beeme1mr @skyerus