Comments (5)
@jspeed-meyers I am not very good with GH actions. But I think if you modify the on action to be on the prelease event rather than on a schedule and find a way to copy the SBOMs to a release (I still think it is worth storing in the repo BTW), then I think you will be there.
from ntia-conformance-checker.
@anthonyharrison, is there an example repo where you do this already?
from ntia-conformance-checker.
@jspeed-meyers There is a GitHub action here which publishes an SBOM every week to the github repository. We publish a separate SBOM for each version of Python which is supported because there are different dependency requirements depending on the Python version being used. There may also be different dependencies related to the target architecture and operating system but I don't think this applies for this project.
from ntia-conformance-checker.
Thank you, @anthonyharrison. That's useful.
One of the "requirements" (air quotes, because I am making this up as I go along) I created for this task is to publish the created SBOM to the GitHub releases page. IIUC, the Action in the project you highlighted publishes into the project repository. Both are sensible, but my preference is to only create SBOMs for releases.
One of Anchore's actions for syft
appears to do this: https://github.com/anchore/sbom-action
I was thinking of trying that action out instead of that approach since the Anchore action default behavior is to release an SBOM to the GH Action release page, though I would prefer to use the sbom4python tool since you are the creator of it and so can help troublesboot. Any objections or thoughts?
from ntia-conformance-checker.
This might simplify this task: https://github.com/marketplace/actions/sbom-generator-action
from ntia-conformance-checker.
Related Issues (20)
- Release pipeline to PyPI broken
- Validation messages when outputting JSON fails HOT 1
- Running ntia-checker without arguments fails with non-useful error
- Docs: Create a Release How-To
- ntia-checker fails for files under fileName must not be an absolute path HOT 5
- ntia-checker --version does not give the version HOT 4
- Bug: test the presence of the --file argument if another argument is present HOT 1
- Syntax of the short arguments HOT 3
- Package supplier and originator fields, is having both as NOASSERTION is not EO compliant? HOT 10
- Cut a v1.0.0 Release? HOT 1
- Move Python Support From 3.8 to 3.9
- licenseId is not a case-sensitive as per spdx ,but this tool follows case-sensitve? HOT 13
- get_components_without_* functions shold return the SPDX ID of the component if there is one HOT 9
- Add Black and Pylint to Contributing Doc
- Getting confused about tri licensed package HOT 6
- Spelling: Minimum vs mininum HOT 10
- What GitHub Badges (or Practices) Do You Want This Repo to Have? HOT 1
- [Docs] Add Documentation on Pre-Built Container Applications of `ntia-conformance-checker` HOT 1
- `check_dependency_relationships` Function Does Not Match SPDX Minimum Elements Definition of "Relationship" Field HOT 1
- Should .idea Folder and Contents Be Deleted?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ntia-conformance-checker.