yangcao77
commented
7 months ago Needs further investigation before refinement.
Open maysunfaisal opened 8 months ago
yangcao77
commented
7 months ago Needs further investigation before refinement.
thepetk
commented
4 months ago Putting this item back to refinement as there was some progress in the parent EPIC issue.
/kind user-story
Which area this user story is related to?
/area api /area library /area registry /area alizer /area devworkspace /area landing-page
User Story
The Mechanizer Badge
Requirements - https://github.com/devfile/api/discussions/1283
To satisfy this requirement, we need to have an automated mechanism to publish our SBOMs upon every release. The problem is, our release process is on demand and because it's infrequent, we've been content with just running our scripts manually.
The webinar mentioned goreleaser which automates the release process and can generate sboms. This looks interesting and it is something we should look into since there is the potential it can be adopted by our other repos. We can refer to this example, which uses goreleaser.
TODO
I've considered other alternatives like using one of the recommended sbom generator tools to generate and upload an artifact in our CI workflow but this is not tied to our release process. We may need to manually download the artifact and drop it whenever we cut a release so I don't think it will satisfy the badge requirements.
Estimated Time: ~3-4 weeks (assuming everything is straightforward with the investigation)
Edit: I just thought of another approach. We can consider keeping the existing release process and just integrate the sbom generation. Since we are using hub cli to create the release, we need to figure out if there's a command to upload the generated artifact. This could cut down the time to 1-2 weeks.
Triaged at https://github.com/devfile/api/issues/1292#issuecomment-1769502996
Repo Checklist