scripts: add py_binary target for spdx_to_github_snapshot#2
Merged
AlexanderLanin merged 1 commit intoeclipse-score:mainfrom Mar 17, 2026
Merged
scripts: add py_binary target for spdx_to_github_snapshot#2AlexanderLanin merged 1 commit intoeclipse-score:mainfrom
AlexanderLanin merged 1 commit intoeclipse-score:mainfrom
Conversation
Lukasz-Juranek
added a commit
to Lukasz-Juranek/score-reference_integration
that referenced
this pull request
Mar 17, 2026
- Adds `score_sbom` as a Bazel module dependency (via `git_override`) - Adds a root `reference_integration_sbom` Bazel target covering the core Rust showcase binaries (`//showcases/cli:cli`, `//showcases/orchestration_persistency:orch_per_example`) - Adds `.github/workflows/generate_sbom.yml` triggered only on `workflow_dispatch` (on-demand) What the workflow does: 1. Builds SPDX 2.3 + CycloneDX 1.6 SBOMs via `bazel build //:reference_integration_sbom` 2. Uploads both files as a GitHub Actions artifact (`sbom-<sha>`, retained 90 days) 3. Converts the SPDX output to GitHub Dependency Submission API format and submits it — enables Dependabot vulnerability alerts on the declared dependencies Workflow improvements over initial draft: - Use `astral-sh/setup-uv@v7.6.0` instead of `curl | sh` for reproducible, supply-chain-safe uv installation - Add `apt-get update` before `apt-get install` to prevent intermittent failures on rotating runner images - Invoke SPDX→snapshot converter via `bazel run @score_sbom//scripts:spdx_to_github_snapshot_bin` instead of reaching into Bazel's internal output_base directory; the required `py_binary` target is added in eclipse-score/sbom-tool#2 - Update header comment to accurately reflect that dependency snapshot submission always runs - Use absolute paths (`$GITHUB_WORKSPACE`) for bazel run invocations
Add a runnable `spdx_to_github_snapshot_bin` py_binary target so that callers can invoke the converter via `bazel run //scripts:spdx_to_github_snapshot_bin` instead of reaching into Bazel's internal output_base directory.
AlexanderLanin
approved these changes
Mar 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Needed for eclipse-score/reference_integration#191
Summary
spdx_to_github_snapshot_binas apy_binaryBazel target inscripts/BUILD.bazelbazel run //scripts:spdx_to_github_snapshot_bininstead of reaching into Bazel's internal
output_basedirectoryMotivation
Downstream workflows were locating the script via
$(bazel info output_base)/external/score_sbom+/scripts/…, which depends on Bazel'sinternal layout and the module's canonical repo name — both of which can change.
A proper
py_binarytarget provides a stable, version-controlled invocation path.