gh-node-module-generatebom
gh-node-module-generatebom copied to clipboard
[IDEA] make universal
current implementation utilizes https://github.com/CycloneDX/cyclonedx-node-module/
in version @<4
v3 is deprecated. v4 became a meta package, utilizing special implmentations for npm, pnpm, yarn, ...
GOAL: rework this GH action:
- input (intended to be as much backward compatible as possible, to not break users of
@master
version to much)-
path
to the project dir - default to./
-
cyclonedx-version
: {1.4
,1.3
, ...} - default to latest` -
output
: output file - default to./bom.xml
- package-manager: {
npm
,pnpm
,yarn
,yarn2
}
-
- it is expected that the env anlready has a node env setup and the packagemanager is installed.
- auto-detection: based on lock file type
- it could detect existence of {npm,pnpm,yarn}-lockfile
- process:
- if the tools are not yet available in the current target env, then
the needed appropriate tools are installed with the according eco system (
npx i
/pnpm add
,yarn add
) in a temp dir - the appropriate application is run from that temp dir
- if there is no appropriate application (yet) the GH action exists with an error, prints a info message.
- if the tools are not yet available in the current target env, then
the needed appropriate tools are installed with the according eco system (
internally
- [ ] utilize https://github.com/CycloneDX/cyclonedx-node-npm
- [ ] utilize https://github.com/CycloneDX/cyclonedx-node-pnpm
- [ ] utilize https://github.com/CycloneDX/cyclonedx-node-yarn
change process:
- [x] write the docs with:
use @v1
- instead of@master
- [ ] current master becomes available as git branch
1.x
- [ ] next version is properly tagged as
v2
and so on ... - :warning: since there might be uses that run directly on
@master
- the master branch must be working all the time - do development in a dedicated temp branch !