feat: add SPDX SBOM generation option #5
Conversation
SMillerDev
force-pushed
the
feat/spdx
branch
9 times, most recently
from
f43f78a to
e0007bf
Compare
| . += { | ||
| name: $name, | ||
| SPDXID: "SPDXRef-\($name)", |
There was a problem hiding this comment.
For the changelog, we'd need the project version in here too. I see examples adding it to the name, which I suppose would be good enough. We could extract it from there again. A dedicated version field might be easier, though I haven't really found that in the spec. Just in some examples of other generators.
There was a problem hiding this comment.
With version, you are referring to commit hashes right?
There was a problem hiding this comment.
Well, anything we can use as input for git log
There was a problem hiding this comment.
git log 0.8.0-1-g6ed6e9fa..
This works, for example, so the output of git describe would be possible too
| jsonschema: | ||
| name: jsonschema | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
I think this might be better in a separate workflow. I think the curl is not enough and we need an actual git clone to work with, and that would open up the road to a testsuite where we clone and test with multiple different repos.
Adding the generation of an SBOM in the SPDX format