ci(NODE-7025): New SBOM generation workflow on dependencies change #4807
Conversation
baileympearson
changed the title
| @@ -0,0 +1,19 @@ | |||
| name: Setup PHP SBOM | |||
There was a problem hiding this comment.
This seems like it was a copy-paste from the PHP implementation?
There was a problem hiding this comment.
Yeah, I was replicating structure, but missed to update the text in all places. Removed since no setup needed.
.github/actions/setup/action.yml
Outdated
| name: Setup Node SBOM | ||
| description: Sets up environment for generating SBOM in Node.js projects | ||
| inputs: | ||
| working-directory: |
There was a problem hiding this comment.
This action shouldn't be necessary because:
- the shared setup action we use (and which is called in sbom.yml) already configures Node
- cyclonedx/cdxgen appears to be unused
There was a problem hiding this comment.
Removed as we use npx and direct download
.github/workflows/sbom.yml
Outdated
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
There was a problem hiding this comment.
| pull-requests: write |
I think we can remove this permission now that we're committing to main, right?
|
|
||
| concurrency: | ||
| group: sbom-${{ github.ref }} | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
| cancel-in-progress: false | |
| cancel-in-progress: true |
I definitely think we want cancel-in-progress: true (or limit concurrency to 1 execution at a time). Otherwise, it would be last action to finish wins, right?
There was a problem hiding this comment.
For this one, I'd keep the false value, since it let job to finish and new job is pending, no parallel execution, and we don't terminate job in a weird state.
There was a problem hiding this comment.
Okay, that's fine too. But then we should probably change the group to an identifier that doesn't include the git ref (which would be different for every action that runs, right?)
.github/workflows/sbom.yml
Outdated
| - name: Load version and package info | ||
| uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 | ||
| with: | ||
| npm_package_name: mongodb |
There was a problem hiding this comment.
| - name: Load version and package info | |
| uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 | |
| with: | |
| npm_package_name: mongodb |
This shouldn't be necessary
There was a problem hiding this comment.
Don't remember why I've added it, but I'll trust you and remove)
.github/workflows/sbom.yml
Outdated
| - name: Generate/Update package-lock.json | ||
| run: | | ||
| echo "Resolving dependencies and generating package-lock.json..." | ||
| npm install --package-lock-only |
There was a problem hiding this comment.
We've already run npm install above in mongodb-labs/drivers-github-tools/node/setup@v3. Is it necessary to only install from package-lock? If so, we might want to remove the call to the above action.
baileympearson
added
the
Primary Review
|
|
||
| concurrency: | ||
| group: sbom-${{ github.ref }} | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
Okay, that's fine too. But then we should probably change the group to an identifier that doesn't include the git ref (which would be different for every action that runs, right?)
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Generate SBOM |
There was a problem hiding this comment.
Could we move the contents of this action into a standalone script? That's easier to maintain and run locally than a Github action.
| env: | ||
| SBOM_FILE: "sbom.json" |
There was a problem hiding this comment.
| env: | |
| SBOM_FILE: "sbom.json" |
This won't ever change, I think, so we should be able to remove it.
| @@ -1,51 +1,553 @@ | |||
| { | |||
There was a problem hiding this comment.
I don't see optional dependencies included in the sbom
(any dependency in the peerDependencies section of our package.json is an optional dependency)
3 participants
Description
Summary of Changes
This PR adds a new GitHub Actions workflow that will be triggered on packages change.
The trigger will generate a new SBOM.json file and if it differs from the project on will create PR.
Notes for Reviewers
Please review if this is going to work for how you handle project branches.
What is the motivation for this change?
SSDLC Improvement Goals
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript