ci(NODE-7025): New SBOM generation workflow on dependencies change #4807
Conversation
baileympearson
changed the title
| @@ -0,0 +1,19 @@ | |||
| name: Setup PHP SBOM | |||
There was a problem hiding this comment.
This seems like it was a copy-paste from the PHP implementation?
| name: Setup Node SBOM | ||
| description: Sets up environment for generating SBOM in Node.js projects | ||
| inputs: | ||
| working-directory: |
There was a problem hiding this comment.
This action shouldn't be necessary because:
- the shared setup action we use (and which is called in sbom.yml) already configures Node
- cyclonedx/cdxgen appears to be unused
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
There was a problem hiding this comment.
| pull-requests: write |
I think we can remove this permission now that we're committing to main, right?
|
|
||
| concurrency: | ||
| group: sbom-${{ github.ref }} | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
| cancel-in-progress: false | |
| cancel-in-progress: true |
I definitely think we want cancel-in-progress: true (or limit concurrency to 1 execution at a time). Otherwise, it would be last action to finish wins, right?
| - name: Load version and package info | ||
| uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 | ||
| with: | ||
| npm_package_name: mongodb |
There was a problem hiding this comment.
| - name: Load version and package info | |
| uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 | |
| with: | |
| npm_package_name: mongodb |
This shouldn't be necessary
| - name: Generate/Update package-lock.json | ||
| run: | | ||
| echo "Resolving dependencies and generating package-lock.json..." | ||
| npm install --package-lock-only |
There was a problem hiding this comment.
We've already run npm install above in mongodb-labs/drivers-github-tools/node/setup@v3. Is it necessary to only install from package-lock? If so, we might want to remove the call to the above action.
2 participants
Description
Summary of Changes
This PR adds a new GitHub Actions workflow that will be triggered on packages change.
The trigger will generate a new SBOM.json file and if it differs from the project on will create PR.
Notes for Reviewers
Please review if this is going to work for how you handle project branches.
What is the motivation for this change?
SSDLC Improvement Goals
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript