feat: update CycloneDX SBOM action inputs and improve digest handling#579
Open
AlexFernandes-MOVAI wants to merge 1 commit into
Open
feat: update CycloneDX SBOM action inputs and improve digest handling#579AlexFernandes-MOVAI wants to merge 1 commit into
AlexFernandes-MOVAI wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the CycloneDX SBOM (Software Bill of Materials) generation and attachment process in the Docker workflow. The main focus is on improving the handling and validation of image digests, simplifying the image reference construction, and making the SBOM steps more robust and maintainable. Additionally, some workflow steps related to version bumping and release creation have been removed or refactored.
SBOM Generation and Image Digest Handling Improvements:
digestinput in.github/actions/attach-cyclonedx-sbom/action.ymlis now required, and the logic for extracting and validating the digest has been improved to ensure it matches the expected format (sha256:...). This prevents accidental use of invalid or missing digests. [1] [2].github/workflows/docker-workflow.yml), SBOM generation now passes theimageanddigestseparately, and image references are constructed more reliably using a new preparation step. [1] [2] [3]Workflow Refactoring and Cleanup:
These changes make the SBOM attachment process more robust, reduce the risk of errors due to invalid digests, and simplify the workflow for easier maintenance.