Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow update tasks to bump version numbers in CPE & PURL #484

Merged
merged 9 commits into from
Dec 3, 2021
Merged

Allow update tasks to bump version numbers in CPE & PURL #484

merged 9 commits into from
Dec 3, 2021

Conversation

dmikusa
Copy link
Contributor

@dmikusa dmikusa commented Dec 2, 2021

Summary

  • Prior to this PR, CPE & PURL metadata would not be updated in PRs that are generated to bump a dependency version
  • This PR allows the update job to bump the CPE & PURL as well as the version. This requires Add flags to update cpe & purl libpak#112.
  • For this to work, actions don't need to be updated. The default values will use the same pattern for version, CPE & PURL. This works for the majority of actions.
  • It doesn't work for JVM related actions. This is because Java 8 has a one-off CPE format. This is being supported by modifying the actions for JVMs such that they also output a CPE. This needs to be paired with a CPE Pattern, which would be specified in the pipeline-descriptor.yml file.
  • This PR also modifies the descriptor such that you can set the cpe and purl pattern.

Use Cases

Enable update jobs to bump version numbers in CPEs & PURLs.

Checklist

  • I have viewed, signed, and submitted the Contributor License Agreement.
  • I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
  • I have added an integration test, if necessary.
  • I have reviewed the styleguide for guidance on my code quality.
  • I'm happy with the commit history on this PR (I have rebased/squashed as needed).

Allow update tasks to bump version numbers in CPE & PURL
1a5edd6 
- Prior to this PR, CPE & PURL metadata would not be updated in PRs that are generated to bump a dependency version
- This PR allows the update job to bump the CPE & PURL as well as the version. This requires paketo-buildpacks/libpak#112.
- For this to work, actions don't need to be updated. The default values will use the same pattern for version, CPE & PURL. This works for the majority of actions.
- It doesn't work for JVM related actions. This is because Java 8 has a one-off CPE format. This is being supported by modifying the actions for JVMs such that they also output a CPE. This needs to be paired with a CPE Pattern, which would be specified in the pipeline-descriptor.yml file.
- This PR also modifies the descriptor such that you can set the cpe and purl pattern.

Signed-off-by: Daniel Mikusa <dmikusa@vmware.com>
@dmikusa dmikusa added type:enhancement A general enhancement semver:minor A change requiring a minor version bump labels Dec 2, 2021
@dmikusa dmikusa requested a review from a team December 2, 2021 19:28
pivotal-david-osullivan
pivotal-david-osullivan reviewed Dec 2, 2021
View reviewed changes
actions/adoptium-dependency/main.go Outdated Show resolved Hide resolved
actions/alibaba-dragonwell-dependency/main.go Outdated Show resolved Hide resolved
actions/amazon-corretto-dependency/main.go Outdated Show resolved Hide resolved
actions/azul-zulu-dependency/main.go Outdated Show resolved Hide resolved
actions/bellsoft-liberica-dependency/main.go Outdated Show resolved Hide resolved
actions/foojay-dependency/main.go Outdated Show resolved Hide resolved
actions/graalvm-dependency/main.go Outdated Show resolved Hide resolved
actions/ibm-semeru-dependency/main.go Outdated Show resolved Hide resolved
Daniel Mikusa and others added 8 commits December 2, 2021 16:49
@pivotal-david-osullivan
Update actions/adoptium-dependency/main.go
bac0a64 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/alibaba-dragonwell-dependency/main.go
2056bae 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/amazon-corretto-dependency/main.go
3c9b740 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/azul-zulu-dependency/main.go
5268374 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/bellsoft-liberica-dependency/main.go
34b2521 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/foojay-dependency/main.go
a31ba9b 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/graalvm-dependency/main.go
d351840 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@pivotal-david-osullivan
Update actions/ibm-semeru-dependency/main.go
4b2a0f0 
Co-authored-by: David O'Sullivan <31728678+pivotal-david-osullivan@users.noreply.github.com>
@dmikusa dmikusa merged commit 016cfbd into main Dec 3, 2021
@dmikusa dmikusa deleted the bump-cpe-purl branch December 3, 2021 15:04
This was referenced Dec 3, 2021
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Dec 3, 2021
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@buildpack-bot buildpack-bot mentioned this pull request Dec 6, 2021
Merged
This was referenced Dec 6, 2021
Merged
Merged
@buildpack-bot buildpack-bot mentioned this pull request Dec 6, 2021
Merged
@paketo-bot paketo-bot mentioned this pull request Jan 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pivotal-david-osullivan pivotal-david-osullivan pivotal-david-osullivan approved these changes

Assignees
No one assigned
Labels
semver:minor A change requiring a minor version bump type:enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dmikusa @pivotal-david-osullivan