Skip to content

chore: add sbom generation for releases#337

Merged
toddbaert merged 2 commits intoopen-feature:mainfrom
Kavindu-Dodan:feature/sbom-to-release
Jan 31, 2023
Merged

chore: add sbom generation for releases#337
toddbaert merged 2 commits intoopen-feature:mainfrom
Kavindu-Dodan:feature/sbom-to-release

Conversation

@Kavindu-Dodan
Copy link
Copy Markdown
Contributor

@Kavindu-Dodan Kavindu-Dodan commented Jan 27, 2023
edited
Loading

This PR

Fixes #329

Adding SBOM generation through go releaser. SBOM is generated per archive (see image for reference).

Along with the PR, changing deprecated archive naming [1]

image

How to test

Install goreleaser [2] and run following command tog get artefacts & sbom generates in local dist folder

goreleaser release --skip-publish --skip-validate --rm-dist

[1] - https://goreleaser.com/deprecations/#archivesreplacements
[2] - https://goreleaser.com/install/

@Kavindu-Dodan Kavindu-Dodan changed the title add sbom generation for releases feat: add sbom generation for releases Jan 27, 2023
toddbaert
toddbaert approved these changes Jan 30, 2023
View reviewed changes
Comment thread .goreleaser.yaml
@toddbaert toddbaert self-requested a review January 30, 2023 15:19
@toddbaert
Copy link
Copy Markdown
Member

toddbaert commented Jan 30, 2023

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

@toddbaert
Copy link
Copy Markdown
Member

toddbaert commented Jan 30, 2023

@Kavindu-Dodan Also I think the title should be "chore" or something like that. This is a "feature" in terms of security features, but not a new functional feature in flagd in the sense of semver or compatibility.

@Kavindu-Dodan Kavindu-Dodan changed the title feat: add sbom generation for releases chore: add sbom generation for releases Jan 30, 2023
@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from 2b57b54 to e297f35 Compare January 30, 2023 17:17
@Kavindu-Dodan
Copy link
Copy Markdown
Contributor Author

Kavindu-Dodan commented Jan 30, 2023

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.

[1] - https://github.com/anchore/sbom-action#basic-usage
[2] - https://github.com/anchore/sbom-action#scan-a-container-image

@toddbaert
Copy link
Copy Markdown
Member

toddbaert commented Jan 30, 2023

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.

[1] - https://github.com/anchore/sbom-action#basic-usage [2] - https://github.com/anchore/sbom-action#scan-a-container-image

Oh, interesting. I think you're right based on the doc.

Your plan sounds good.

@Kavindu-Dodan
Copy link
Copy Markdown
Contributor Author

Kavindu-Dodan commented Jan 30, 2023

@Kavindu-Dodan should we also add SBOM generation for the container image, like it OFO? https://github.com/open-feature/open-feature-operator/blob/312e91e6f9c1c44b9d642c74e031742f78c0f7f9/.github/workflows/release-please.yml#L124

Per my understanding, we are not scanning the image for SBOM generation in OFO but rather scanning only the source [1]. I will update this PR to introduce image scanning [2] . We might have to do the same (after validating things here) for OFO later on.
[1] - https://github.com/anchore/sbom-action#basic-usage [2] - https://github.com/anchore/sbom-action#scan-a-container-image

Oh, interesting. I think you're right based on the doc.

Your plan sounds good.

Updated the PR.

I validated the workflow in a test project - Release artefcats [1] & Image scan [2]. Let's see the workflow in action once merged 🤞

[1] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/releases/tag/v0.6
[2] - https://github.com/Kavindu-Dodan/flagd-grpc-sync/actions/runs/4047491430/jobs/6961565162#step:6:18

@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from be4c676 to 32908ac Compare January 30, 2023 19:53
toddbaert
toddbaert approved these changes Jan 30, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@toddbaert toddbaert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@beeme1mr could you take a look as well if you have a sec?

@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from 32908ac to a371a80 Compare January 30, 2023 20:39
@beeme1mr beeme1mr self-requested a review January 30, 2023 21:38
@Kavindu-Dodan Kavindu-Dodan force-pushed the feature/sbom-to-release branch from 1af7e69 to cbf500e Compare January 30, 2023 23:25
skyerus
skyerus approved these changes Jan 31, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@skyerus skyerus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@Kavindu-Dodan @toddbaert
add sbom generation for releases
16cbdc6 
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
@Kavindu-Dodan @toddbaert
syfy dep and sbom for image
53a57a5 
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
@toddbaert toddbaert force-pushed the feature/sbom-to-release branch from cbf500e to 53a57a5 Compare January 31, 2023 14:41
@toddbaert toddbaert merged commit ffb8dc1 into open-feature:main Jan 31, 2023
@toddbaert toddbaert mentioned this pull request Feb 6, 2023
Merged
beeme1mr pushed a commit that referenced this pull request Feb 7, 2023
@toddbaert
chore: add @Kavindu-Dodan to CODEOWNERS (#377)
e02c899 
@Kavindu-Dodan has contributed multiple significant changes and
proposals to flagd:

- multiple refactors: #291,
#307
- ci/security improvements:
#338,
#337
- architectural proposals (some of which got some attention from outside
parties!): open-feature/ofep#45,
open-feature/flagd-schemas#78,
#249 (comment)
- load testing: #225
- documentation improvements

For these reasons, I believe he should be made a CODEOWNER in this
repository.

NOTE: before this is merged, @Kavindu-Dodan should be added with at
least `maintainer` permissions to the repo.

Signed-off-by: Todd Baert <toddbaert@gmail.com>
raphael-wigoutschnigg-dt pushed a commit to open-feature-forking/flagd that referenced this pull request Mar 11, 2025
@github-actions
chore(main): release providers/flagd-in-process 0.1.1 (open-feature#337)
0a529f6 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beeme1mr beeme1mr beeme1mr approved these changes

@toddbaert toddbaert toddbaert approved these changes

@AlexsJones AlexsJones Awaiting requested review from AlexsJones

@james-milligan james-milligan Awaiting requested review from james-milligan

+1 more reviewer

@skyerus skyerus skyerus approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Add SBOM to release

4 participants

@Kavindu-Dodan @toddbaert @beeme1mr @skyerus