ci: publish SBoM once#4416
Open
QxBytes wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR changes the Azure DevOps pipeline to generate and publish the signed SBOM exactly once, after all build outputs (binaries and per-image archives) have been produced, to avoid _manifest being overwritten across multiple publishes and causing downstream hash mismatches.
Changes:
- Renames the binaries artifact from
outputtounsigned-binariesso it can be treated as an intermediate input. - Updates multi-arch manifest publishing to emit per-image intermediate artifacts (
unsigned-images-<name>) instead of publishingoutputrepeatedly. - Adds a new
sbom_publishstage that aggregates intermediate artifacts, generates a signed SBOM, and publishes the finaloutputartifact once.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .pipelines/pipeline.yaml | Introduces the consolidated sbom_publish stage and switches binaries publishing to an intermediate artifact name. |
| .pipelines/containers/manifest-template.yaml | Removes per-manifest SBOM generation and publishes per-image intermediate artifacts for later aggregation. |
Comment on lines
+385
to
+394
| # Run as long as no producer failed and at least one succeeded. | ||
| condition: | | ||
| and( | ||
| not(failed()), | ||
| or( | ||
| eq(dependencies.binaries.result, 'Succeeded'), | ||
| eq(dependencies.publish.result, 'Succeeded'), | ||
| eq(dependencies.publish_npm.result, 'Succeeded') | ||
| ) | ||
| ) |
Contributor
Author
There was a problem hiding this comment.
if other stages like unit tests fail, this shouldn't run anyway
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for Change:
See below
Issue Fixed:
Previously we published the SBoM for each manifest, which kept overwriting the _manifest directory under output/ in published artifacts. Then, when the release pipeline consumed the artifacts, the _manifest directory would only contain the contents of the last publish leading to hash mismatches. This PR aims to only publish the _manifest directory w/ the SBoM (software bill of materials) once after all artifacts are available.
Requirements:
Notes:
Tested using the microsoft sbom validation tool to verify the _manifest folder validates the output/ folder in 20260520.3 and 20260519.8
The only surefire way to validate this that I know of is to run the real official release pipeline. The release pipeline only downloads the output artifact/folder so the _manifest should account for everything in that folder.