gh-node-module-generatebom icon indicating copy to clipboard operation
gh-node-module-generatebom copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

docs: mark deprecated

Open jkowalleck opened this issue 1 year ago • 4 comments
trafficstars

This GitHub Action is considered deprecated.
Instead, you may use one the following tools in your github workflow:

  • for NPM projects: @yclonedx/cyclonedx-npm 
    - name: Create SBOM step
  # see for usage: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm
  run: npx @cyclonedx/cyclonedx-npm@^1 # your options here
  • for YARN projects: @cyclonedx/yarn-plugin-cyclonedx 
    - name: Create SBOM step
  # see for usage: https://www.npmjs.com/package/%40cyclonedx/yarn-plugin-cyclonedx
  run: yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx@^1 # your options here
  • for PNPM projects: to be announced

For other Node.js related CycloneDX SBOM generators, see also: https://github.com/CycloneDX/cyclonedx-node-module/blob/master/README.md

jkowalleck avatar Jul 08 '24 16:07 jkowalleck

followup: create a minor release, to announce/communicate the deprecation of this thing

jkowalleck avatar Jul 08 '24 16:07 jkowalleck

Is there a reason why this is being deprecated rather than being enhanced to support yarn? https://github.com/marketplace/actions/cyclonedx-node-js-generate-sbom is currently listed in the GitHub Marketplace along with several other CycloneDX GitHub Actions.

stevespringett avatar Jul 08 '24 16:07 stevespringett

Is there a reason why this is being deprecated rather than being enhanced to support yarn?

this tool already knows rudimentary yarn in the current version.

https://github.com/marketplace/actions/cyclonedx-node-js-generate-sbom is currently listed in the GitHub Marketplace along with several other CycloneDX GitHub Actions.

This is not planned to change. This action will stay.

Reminder: this GH-action utilizes an outdated CLI tool. see https://github.com/CycloneDX/gh-node-module-generatebom?tab=readme-ov-file#internals

The modern CLI tools evolved a lot. They are properly documented, and are easy to setup and easy to use.

Nowadays, is there any use of this GitHub action instead of directly using the appropriate CLI tools?

  • Both alternatives are a one-liner in GitHub workflows. I just can not see any benefit of this GH-action.
  • As a user: calling the actual CLI tools gives all the control to the end user
  • As a maintainer: modernizing this action would create a wrapper of the actual CLI, meaning to always chase the evolution of the actual tool. What would be the benefit of this?

jkowalleck avatar Jul 08 '24 17:07 jkowalleck

Deprecating this GH-action would close/obsolete #16 and #6

jkowalleck avatar Jul 08 '24 17:07 jkowalleck