You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by "squakez (via GitHub)" <gi...@apache.org> on 2024/01/08 14:54:28 UTC

[I] Nightly SBOM procedure should not run if there are no changes [camel-k]

squakez opened a new issue, #5033:
URL: https://github.com/apache/camel-k/issues/5033

   ### What happened?
   
   The procedure is running and it recreate a different SBOM every night. Although it does not harm, it makes no sense and the nightly generation of commits pollute the git history with meaningless information.
   
   ### Steps to reproduce
   
   _No response_
   
   ### Relevant log output
   
   _No response_
   
   ### Camel K version
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Nightly SBOM procedure should not run if there are no changes [camel-k]

Posted by "squakez (via GitHub)" <gi...@apache.org>.

squakez commented on issue #5033:
URL: https://github.com/apache/camel-k/issues/5033#issuecomment-1882818685

   Okey, the problem is that every night we add a new commit, so, the night after it [recalculates the sbom main app version](https://github.com/CycloneDX/cyclonedx-gomod#version-detection). I think that, in order to be consistent, we need to move this process into the release process and make sure that it uses the tag version which has been released.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Nightly SBOM procedure should not run if there are no changes [camel-k]

Posted by "oscerd (via GitHub)" <gi...@apache.org>.

oscerd commented on issue #5033:
URL: https://github.com/apache/camel-k/issues/5033#issuecomment-1882883883

   For me it's fine. But for having a way of knowing the vulnerabilities status during the development I'd prefer to have a job updating the SBOM on the repository once a week, so we could check if we are vulnerable to something with dependency track or other tools.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Nightly SBOM procedure should not run if there are no changes [camel-k]

Posted by "squakez (via GitHub)" <gi...@apache.org>.

squakez commented on issue #5033:
URL: https://github.com/apache/camel-k/issues/5033#issuecomment-1882840309

   @oscerd what would you say if, instead of committing the SBOM to the project, we publish as a resource along the release artifacts?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Nightly SBOM procedure should not run if there are no changes [camel-k]

Posted by "squakez (via GitHub)" <gi...@apache.org>.

squakez commented on issue #5033:
URL: https://github.com/apache/camel-k/issues/5033#issuecomment-1882888495

   > For me it's fine. But for having a way of knowing the vulnerabilities status during the development I'd prefer to have a job updating the SBOM on the repository once a week, so we could check if we are vulnerable to something with dependency track or other tools.
   
   We should have the same when publishing the nightly. The tools we're using should be able to use that artifact as well.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] Nightly SBOM procedure should not run if there are no changes [camel-k]

Posted by "squakez (via GitHub)" <gi...@apache.org>.

squakez closed issue #5033: Nightly SBOM procedure should not run if there are no changes
URL: https://github.com/apache/camel-k/issues/5033


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@camel.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org