The binary artefacts that we upload should include manifest files that document at a minimum the version of each package included within them. This can be extended to include upstream website and licence info for example, to help users with any compliance or supply chain validation requirements they may have.
My initial thought is to have each action generate it's own manifest file for whatever it's building, and include that in it's binary artefact. It would also include the manifest file for any dependencies that it may include (e.g. postgresql would include the manifests for openssl, kerberos, gettext etc.)
The binary artefacts that we upload should include manifest files that document at a minimum the version of each package included within them. This can be extended to include upstream website and licence info for example, to help users with any compliance or supply chain validation requirements they may have.
My initial thought is to have each action generate it's own manifest file for whatever it's building, and include that in it's binary artefact. It would also include the manifest file for any dependencies that it may include (e.g. postgresql would include the manifests for openssl, kerberos, gettext etc.)
See also #29.