Generate releases in an ADO pipeline and move SBOM generation to the release pipeline #677
Labels
compliance & security
dev-automation
Related to automating builds, the development container, and improving the developer experience.
Benefit/Result/Outcome
So that the SBOM generation does not cause merge confusion for developers when creating pull requests.
Description
The SBOM generation currently runs as automation upon creating a pull request. If a second PR is created and merged before the first PR, the SBOM files appear in the first PR as a merge conflict. Resolving the conflict is causing confusion, and developers have to resolve the conflict in a particular way to avoid having the wrong SBOM committed to main.
A solution is to stop committing the SBOM files to the source tree, and provide them as part of each release. We could generate each release in an ADO pipeline that creates the zip/tar files for the release and also creates an SBOM based on the zip file. (Each
Acceptance Criteria
The text was updated successfully, but these errors were encountered: