dotnet-sdk icon indicating copy to clipboard operation
dotnet-sdk copied to clipboard
verified publisher icon open-feature

ci: Add SBOM attestations and bump please release

Open askpt opened this issue 7 months ago • 1 comments

This PR

This pull request introduces a streamlined process for generating and attesting SBOMs (Software Bill of Materials) for .NET projects, along with updates to permissions and workflow configurations. The changes enhance automation, improve security, and simplify the SBOM generation workflow.

SBOM Generation and Attestation Enhancements:

  • Added a new composite GitHub Action (sbom-generator) to generate SBOMs using CycloneDX, upload them to a release, and create attestations. This action supports configurable inputs like github-token, project-name, and release-tag (.github/actions/sbom-generator/action.yml).
  • Replaced the previous standalone SBOM generation steps in the release workflow with calls to the new sbom-generator action for multiple projects (e.g., OpenFeature, OpenFeature.Hosting, OpenFeature.DependencyInjection) (.github/workflows/release.yml).

Workflow and Permissions Updates:

  • Updated the permissions section in the release workflow to include id-token: write and attestations: write, enabling secure SBOM attestation and release tagging (.github/workflows/release.yml).
  • Added installation of the CycloneDX.NET tool (dotnet tool install) to the release workflow for SBOM generation (.github/workflows/release.yml).

Configuration Improvements:

  • Added a signoff field in the release-please-config.json to standardize commit sign-offs for release automation (release-please-config.json).

Related Issues

Fixes #465

Notes

I was triggering the build manually to see if I could generate the SBOMs and attest them. They should be visible here: https://github.com/open-feature/dotnet-sdk/actions/runs/15072156929

askpt avatar May 16 '25 15:05 askpt

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 87.08%. Comparing base (6d7a535) to head (3e2227d). Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #470   +/-   ##
=======================================
  Coverage   87.08%   87.08%           
=======================================
  Files          45       45           
  Lines        1757     1757           
  Branches      184      184           
=======================================
  Hits         1530     1530           
  Misses        187      187           
  Partials       40       40

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar May 16 '25 16:05 codecov[bot]