feat(release): attach a CycloneDX SBOM to the GitHub release#18
Merged
Conversation
Generate a production SBOM with the native `pnpm sbom` command (pnpm 11) and upload it as a release asset, so each tag ships a Bill of Materials for the published dependency tree. Prod-only matches what npm publishes; the file is gitignored and excluded from the npm tarball by `files`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generates a Software Bill of Materials on each release using the native
pnpm sbomcommand (available since the pnpm 11 bump) and uploads it as a GitHub release asset.pnpm sbom --sbom-format cyclonedx --prod > sbom.cdx.json— CycloneDX 1.7 JSON, production deps only (matches what's published to npm).gh release create … sbom.cdx.json.sbom.cdx.jsonis gitignored and already excluded from the npm tarball by thefilesallowlist.Verified the command output locally; the release job only runs on tag push, so CI here won't exercise it.