search

dotnet / NuGet.BuildTasks

The build tasks used to pick up package content from project.lock.json.
MIT License
44 stars 60 forks source link

Add SBOM to the official build pipeline #144

Closed MiYanni closed 2 years ago

MiYanni commented 2 years ago

Detailed information here: https://github.com/dotnet/project-system/pull/7955

This adds software bill of materials (SBOM) to the official build pipeline. This is required for Microsoft products and the information is required to be in our .vsman file for Visual Studio insertion. I reused the same .ps1 script I made for the project-system repo to do the update process for the json manifest.

Successful build: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=5948260&view=results

From the manifest json:

"payloads": [
    {
        "fileName": "Microsoft.NuGet.Build.Tasks.Setup.vsix",
        "size": ------
    },
    {
        "fileName": "Microsoft.NuGet.Build.Tasks.Setup_sbom.json",
        "size": ------
    }
],

From the vsman file:

image

MiYanni commented 2 years ago

@drewnoakes The script is more of a 'hack' than it is a proper solution. Both our (project-system) infrastructure (using RepoToolset) and this one (using Arcade) have the same basic principles for creating our vsix and vsman file(s). What I'll do is add an issue in the project-system repo for the build infrastructure simplification to see if we can use the same infra in any of our repos (project-system, project-system-tools, NuGet.BuildTasks, ProjFileTools). I'm not trying to make Arcade 2 here, but we should be able to share the processes across our repos, even thought they all aren't inserting into VS.