Merge branch 'main' of github.com:anchore/sbom-action into fix/matrix…

…-build-correlator
anchore · Dec 4, 2024 · 000ae0c · 000ae0c
2 parents d880107 + 55dc4ee
commit 000ae0c
Show file tree

Hide file tree

Showing 14 changed files with 1,787 additions and 20,736 deletions.
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -18,6 +18,9 @@ version-resolver:
     labels: [patch]
   default: patch
 
+exclude-labels:
+  - "changelog-ignore"
+
 template: |
   ## Changes in v$RESOLVED_VERSION
 

diff --git a/.github/workflows/remove-awaiting-response-label.yaml b/.github/workflows/remove-awaiting-response-label.yaml
@@ -0,0 +1,11 @@
+name: "Manage Awaiting Response Label"
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  run:
+    uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"
+    secrets:
+      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
   build: # make sure build/ci work properly and there is no faked build ncc built scripts
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: npm ci
       - run: npm run package
       - run: git status --porcelain
@@ -30,7 +30,7 @@ jobs:
         os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: ./
           artifact-name: ${{ matrix.os }}-1.spdx
@@ -64,7 +64,7 @@ jobs:
         ports:
           - 5000:5000
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Build images
         run: |
           for distro in alpine centos debian; do
@@ -77,7 +77,7 @@ jobs:
   test-as-action: # make sure the action works on a clean machine without building
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: ./
 

diff --git a/.github/workflows/update-syft-release.yml b/.github/workflows/update-syft-release.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/sbom-action'
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Get latest Syft version
         id: latest-version
         env:
@@ -29,7 +29,7 @@ jobs:
         with:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
-      - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           signoff: true
           delete-branch: true

diff --git a/README.md b/README.md
@@ -17,6 +17,17 @@ and upload a workflow artifact SBOM in SPDX format. It will also detect
 if being run during a [GitHub release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases)
 and upload the SBOM as a release asset.
 
+> [!IMPORTANT]
+> To upload the SBOM to releases, you will need to give the action permission to read the artifact from the action, and write it to the release:
+> ```yaml
+> jobs:
+>  build:
+>    permissions:
+>      actions: read
+>      contents: write
+>    steps:
+> ```
+
 ## Example Usage
 
 ### Scan a container image

diff --git a/RELEASE.md b/RELEASE.md
@@ -0,0 +1,19 @@
+# Release
+
+A release of sbom-action comprises:
+- a new semver git tag from the current tip of the main branch
+- a new [github release](https://github.com/anchore/sbom-action/releases) with a changelog
+- the action distributable committed into the repo at `dist/`
+
+Ideally releasing should be done often with small increments when possible. Unless a
+breaking change is blocking the release, or no fixes/features have been merged, a good
+target release cadence is between every 1 or 2 weeks.
+
+
+## Creating a release
+
+Releases are automatically drafted on every push to the main branch. Please see the [github releases page](https://github.com/anchore/sbom-action/releases) for the latest draft. To publish the release:
+
+- Click "edit" (the pencil icon)
+- Modify the changelog as needed (for instance, if syft was bumped multiple times, include only the latest version bump entry)
+- Click "publish"