Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unify git state detection mechanisms #1460

Closed
luhring opened this issue Aug 28, 2024 · 0 comments · Fixed by #1474
Closed

Unify git state detection mechanisms #1460

luhring opened this issue Aug 28, 2024 · 0 comments · Fixed by #1474

Comments

@luhring
Copy link
Member

luhring commented Aug 28, 2024

Today we have two similar functions that try to get the current commit for the Melange configuration file (e.g. crane.yaml):

  • detectCommit — used to populate the commit value of the APK's PKGINFO
  • ConfigFileExternalRef — used to create a PURL for the distro package definition to be used in the SBOM

The latter implementation also has a brittle dependency on the configured remote being named origin, and if it's not, the PURL is silently withheld from the SBOM.

The commit claimed as the version of the melange config used for the build should be the same between (a) the APK's PKGINFO and (b) the APK's SBOM. So ideally they'd use the same implementation to arrive at this value.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(sbom)!: overhaul SBOM generation logic luhring/melange
1 participant
@luhring