Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate releases in an ADO pipeline and move SBOM generation to the release pipeline #677

Closed
brooke-hamilton opened this issue Feb 24, 2022 · 0 comments · Fixed by #688
Closed
Assignees
Labels
compliance & security dev-automation Related to automating builds, the development container, and improving the developer experience.

Comments

@brooke-hamilton
Copy link
Contributor

brooke-hamilton commented Feb 24, 2022

Benefit/Result/Outcome

So that the SBOM generation does not cause merge confusion for developers when creating pull requests.

Description

The SBOM generation currently runs as automation upon creating a pull request. If a second PR is created and merged before the first PR, the SBOM files appear in the first PR as a merge conflict. Resolving the conflict is causing confusion, and developers have to resolve the conflict in a particular way to avoid having the wrong SBOM committed to main.

A solution is to stop committing the SBOM files to the source tree, and provide them as part of each release. We could generate each release in an ADO pipeline that creates the zip/tar files for the release and also creates an SBOM based on the zip file. (Each

Acceptance Criteria

  • An ADO pipeline can be manually triggered to generate a draft GitHub release for MLZ.
  • The pipeline generates the label, release notes, and zip files the same as the current user interface process.
  • The pipeline generates an SBOM. The SBOM can either be generated for all files in the repository (as it does today) or it could be generated for the zip/tar files.
  • The SBOM files can be downloaded from the release as a zip file.
  • Update CONTRIBUTING.md to describe cutting a release
@brooke-hamilton brooke-hamilton added the dev-automation Related to automating builds, the development container, and improving the developer experience. label Feb 24, 2022
@brooke-hamilton brooke-hamilton moved this from Triage to Current Backlog in Mission Landing Zone 2022 Mar 1, 2022
@glennmusa glennmusa moved this from Current Backlog to In Progress in Mission Landing Zone 2022 Mar 1, 2022
@glennmusa glennmusa self-assigned this Mar 1, 2022
@glennmusa glennmusa mentioned this issue Mar 7, 2022
4 tasks
Repository owner moved this from In Progress to Done in Mission Landing Zone 2022 Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compliance & security dev-automation Related to automating builds, the development container, and improving the developer experience.
Projects
No open projects
Development

Successfully merging a pull request may close this issue.

2 participants