Switch the default SBOM type to SPDX #1865
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/ok-to-test I sure hope e2e-tests will work with SPDX 🙏 |
|
Missing task updates:
|
|
/retest |
1 similar comment
|
/retest |
9 tasks
chmeliik
force-pushed
the
everything-spdx
branch
from
7846456 to
9a8496e
Compare
chmeliik
force-pushed
the
everything-spdx
branch
from
9a8496e to
11bfe74
Compare
chmeliik
requested review from
ralphbean,
a team,
brunoapimentel,
eskultety and
taylormadore
as code owners
|
/test build-definitions-pull-request |
|
As reflected in the prefetch task's MIGRATION.md doc, some of the more niche build tasks are still not SPDX ready, mainly:
But I don't think we should let that block us, because
|
chmeliik
force-pushed
the
everything-spdx
branch
from
11bfe74 to
066f24b
Compare
|
Rebased and "re-boostrapped" new task versions |
chmeliik
force-pushed
the
everything-spdx
branch
from
066f24b to
4665e8c
Compare
|
rebased, re-bootstrapped |
chmeliik
force-pushed
the
everything-spdx
branch
from
4665e8c to
6ce5c15
Compare
jsztuka
reviewed
Jan 30, 2025
| @@ -3,7 +3,7 @@ apiVersion: tekton.dev/v1 | |||
| kind: Task | |||
| metadata: | |||
| labels: | |||
| app.kubernetes.io/version: "0.3" | |||
| app.kubernetes.io/version: "0.5" | |||
There was a problem hiding this comment.
I'm little confused here, the Migration MR says migration from 0.4 to 0.5 but this differs. Looks like it was forgotten to increment a version to 0.4. Jut to be aware of this fact.
There was a problem hiding this comment.
Yeah, the 0.4 of this task had app.kubernetes.io/version: "0.3"
ralphbean
previously approved these changes
Jan 30, 2025
mmorhun
previously approved these changes
Jan 30, 2025
|
Waiting with merging until we're sure that all consumers are SPDX ready (discussing internally on Slack) |
Prepare new versions of SBOM-related tasks as follows:
new_ver() {
local task=$1
local v1=$2
local v2=$3
for task in $task ${task}-oci-ta; do
if [ ! -e $task ]; then
continue
fi
cp -r $task/$v1/. $task/$v2
if [ -e $task/$v2/recipe.yaml ]; then
sed -E "s;base:(.*)$v1;base:\1$v2;" \
-i $task/$v2/recipe.yaml
fi
if [ -e $task/$v2/MIGRATION.md ]; then
rm $task/$v2/MIGRATION.md
fi
done
}
new_ver task/prefetch-dependencies 0.1 0.2
new_ver task/buildah 0.3 0.4
new_ver task/buildah-remote 0.3 0.4
new_ver task/oci-copy 0.1 0.2
new_ver task/source-build 0.1 0.2
new_ver task/deprecated-image-check 0.4 0.5
That is:
* copy to new version-specific directories
* fix the base task path in recipe.yaml files
* drop the version-specific migration docs
More version-specific changes (the actual changes in functionality,
MIGRATION.md files) will be done in separate commits to make them
review-able.
Signed-off-by: Adam Cmiel <[email protected]>
Version 0.4 was created in a previous commit by copying from 0.3. Make sure the task generator will handle 0.4 going forward. Signed-off-by: Adam Cmiel <[email protected]>
There are no breaking changes in this version, the version simply marks the addition of SPDX support. Just bump the version label and add a MIGRATION.md explaining that no migration is needed. Signed-off-by: Adam Cmiel <[email protected]>
There are no breaking changes in this version, the version simply marks the addition of SPDX support. Just bump the version label and add a MIGRATION.md explaining that no migration is needed. Signed-off-by: Adam Cmiel <[email protected]>
Switch the default SBOM format to SPDX. Bump the version label, add the MIGRATION.md file. Signed-off-by: Adam Cmiel <[email protected]>
Switch the default SBOM format to SPDX. Bump the version label, add the MIGRATION.md file. Signed-off-by: Adam Cmiel <[email protected]>
Switch the default SBOM format to SPDX. Bump the version label, add the MIGRATION.md file. Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Adam Cmiel <[email protected]>
chmeliik
force-pushed
the
everything-spdx
branch
from
6ce5c15 to
b2b8df7
Compare
|
Re-based, re-bootstrapped (to pick up latest changes in the prefetch task) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bump the versions of all SBOM-related tasks
sha256digest of your task is new enough)To minimize disruption, users have to upgrade all the SBOM-related tasks at the same time. This is why these changes need to be done in a single PR, so that all the updates are built and released together and then proposed all at once by Renovate/Mintmaker