Publish SBOM for Each Release about ntia-conformance-checker HOT 5 CLOSED

@jspeed-meyers I am not very good with GH actions. But I think if you modify the on action to be on the prelease event rather than on a schedule and find a way to copy the SBOMs to a release (I still think it is worth storing in the repo BTW), then I think you will be there.

from ntia-conformance-checker.

@anthonyharrison, is there an example repo where you do this already?

from ntia-conformance-checker.

@jspeed-meyers There is a GitHub action here which publishes an SBOM every week to the github repository. We publish a separate SBOM for each version of Python which is supported because there are different dependency requirements depending on the Python version being used. There may also be different dependencies related to the target architecture and operating system but I don't think this applies for this project.

from ntia-conformance-checker.

Thank you, @anthonyharrison. That's useful.

One of the "requirements" (air quotes, because I am making this up as I go along) I created for this task is to publish the created SBOM to the GitHub releases page. IIUC, the Action in the project you highlighted publishes into the project repository. Both are sensible, but my preference is to only create SBOMs for releases.

One of Anchore's actions for syft appears to do this: https://github.com/anchore/sbom-action

I was thinking of trying that action out instead of that approach since the Anchore action default behavior is to release an SBOM to the GH Action release page, though I would prefer to use the sbom4python tool since you are the creator of it and so can help troublesboot. Any objections or thoughts?

from ntia-conformance-checker.

This might simplify this task: https://github.com/marketplace/actions/sbom-generator-action

from ntia-conformance-checker.