Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create action for tool #472

Closed
wants to merge 3 commits into from
Closed

create action for tool #472

wants to merge 3 commits into from

Conversation

fnxpt
Copy link

@fnxpt fnxpt commented Feb 2, 2023
edited
Loading

Allow cyclonedx-node-npm to be executed using github actions

name: Generate SBOM

on:

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
    - uses: CycloneDX/cyclonedx-node-npm
      with:
        path: "."

@fnxpt fnxpt requested a review from a team as a code owner February 2, 2023 11:49
create action for tool
8502194 
Signed-off-by: Marlon Tojal <marlont@backbase.com>
@jkowalleck
Copy link
Member

thanks for the contribution, @fnxpt, but
could you give any context to this particular Pull request ?
I don't see a description, and the commit message only says "create action for tool".

I will put this PR on "DRAFT" until this is clarified.

@jkowalleck jkowalleck marked this pull request as draft February 2, 2023 11:58
@fnxpt
Copy link
Author

fnxpt commented Feb 2, 2023

Sorry about that, the idea is to allow the usage of the tool directly on a github action.
In my use case I want to be able to run this action on my release workflow, so whenever I release a new version I generate a new SBOM

@jkowalleck jkowalleck mentioned this pull request Feb 2, 2023
Closed
@jkowalleck
Copy link
Member

jkowalleck commented Feb 2, 2023
edited
Loading

Firstly: let's discuss via #473 the reasons behind it, to help understand responsibilities and capabilities of such a GH-Action.

@jkowalleck
Copy link
Member

Issues I have with the current state of the pullrequest, that need to be discussed:
There are multiple things to be considered, before your solution could be actually taken into account:

Your solution would always install some version of @cyclonedx/cyclonedx-npm via npm, while it is sitting in a repo with a probably different version of the tool itself.
This might conflict with user expectations.

How should action versioning work? The version of an GH action is a tag.
If the action just uses installs always the latest version of @cyclonedx/cyclonedx-npm, this conflicts with the tools version.
And it does not know semantic versioning - having a proper action sitting in the same repo as the tool is cumbersome and error-prone.

@fnxpt
Copy link
Author

fnxpt commented Feb 2, 2023

Ok, so the @ghaction is a branch but it was just to give context, when used, users should use either a branch or a tag, and maybe we should add an additional parameter to get a specific version of the tool

Marlon Tojal added 2 commits February 2, 2023 14:33
add tool version as parameter
4e61544 
Signed-off-by: Marlon Tojal <marlont@backbase.com>
add instructions for usage of github action
8d3d8d2 
Signed-off-by: Marlon Tojal <marlont@backbase.com>
@fnxpt
Copy link
Author

fnxpt commented Feb 2, 2023

updated the PR with an input for the version and also some instructions on the README

@jkowalleck
Copy link
Member

Hello, @fnxpt, I am the author and maintainer of this tool.
Please come to #473 and tell what all this is about.
Let's talk first, implement later. :)

@fnxpt
Copy link
Author

fnxpt commented Feb 2, 2023

Closing this since we can use npx to run it directly

@fnxpt fnxpt closed this Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fnxpt @jkowalleck