Skip to content

Generate SBOM and attest artifacts #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 16 commits into from
Closed

Generate SBOM and attest artifacts #629

wants to merge 16 commits into from

Conversation

@martincostello
Copy link
Owner

@martincostello martincostello commented May 3, 2024

  • Generate an SBOM for the Windows publish output.
  • Attest the binaries and packages on Windows.

@martincostello
Generate SBOM and attest artifacts
094a2ec 
- Generate an SBOM for the Windows publish output.
- Attest the binaries and packages on Windows.
@martincostello martincostello added enhancement New feature or request github_actions Pull requests that update GitHub Actions code dependencies Pull requests that update a dependency file labels May 3, 2024
@codecov
Copy link

codecov bot commented May 3, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.78%. Comparing base (8e20600) to head (da3c0b5).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #629   +/-   ##
=======================================
  Coverage   97.78%   97.78%           
=======================================
  Files          15       15           
  Lines         271      271           
  Branches       37       37           
=======================================
  Hits          265      265           
  Misses          3        3           
  Partials        3        3
Flag Coverage Δ
linux 97.04% <ø> (ø)
macos 97.78% <ø> (ø)
windows 97.04% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@martincostello
Fix directory separators
4a51d46 
The action won't normalize apparently.
@martincostello
Change path format
034010b 
End with a slash.
@martincostello
Change again
ec7900e 
Use the same syntax as elsewhere.
@martincostello
Fix path
59405a4 
There is no publish...
@martincostello
Change subject-path
0cd6345 
Try and fix wildcard not working.
@martincostello
Fix paths
3f4621d 
The binary location was wrong.
@martincostello
Rename steps
e7edc52 
Use the right terms.
@martincostello
Reduce attestation scope
3d9abb7 
Only attest the produced binaries, not other stuff.
@martincostello
Reduce SBOM scope
2e07cb2 
Only important for the binaries, not also the tests etc.
@martincostello
Reduce attestation
31b4c5c 
Only attest when the packages are going to be pushed somewhere.
@martincostello
Only attest binaries
ac66e9f 
The NuGet packages get signed by NuGet.org, so validating the downloaded packages against the attestation won't succeed.
@martincostello
Attest provenance
69dff42 
Attest provenance as well as via the SBOM.
@martincostello
Merge branch 'main' into sbom-and-attestation
225ecc0
@martincostello
Do not use SBOM to attest
ec2bb1c 
Instead just use the provenance action.
@martincostello
Bump actionlint to 1.7.0
da3c0b5 
Bump actionlint to 1.7.0 and remove workaround.
@martincostello
Copy link
Owner Author

martincostello commented May 11, 2024

#634

@martincostello martincostello deleted the sbom-and-attestation branch May 11, 2024 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file enhancement New feature or request github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martincostello