Skip to content

Conversation

JoerivanEngelen
Copy link
Contributor

@JoerivanEngelen JoerivanEngelen commented Aug 18, 2025

Fixes #1639

Description

Adds pixi task to generate SBOM and add SBOM. I took this approach from Ribasim: https://github.com/Deltares/Ribasim/blob/b80ebd6d189cddf601e90b06e7c3cd5b044ce1b8/pixi.toml#L194-L199

I had to remove all the target task logic from the Ribasim example to make the linting task work on TeamCity for some reason. Locally it worked without any problems.

Checklist

  • Links to correct issue
  • Update changelog, if changes affect users
  • PR title starts with Issue #nr, e.g. Issue #737
  • Unit tests were added
  • If feature added: Added/extended example
  • If feature added: Added feature to API documentation

@Manangka
Copy link
Collaborator

Manangka commented Aug 20, 2025

A couple of questions:

  1. Why is this needed?
  2. How is the sbom used?
  3. Do we need check regenerate the sbom each time we add a dependency to the pyproject file? Or to the pixi.toml file?
  4. If so do we need a comment reminding people to update the sbom
  5. Depending on how this is uses, can this be generated automatically in the release pipeline?
  6. Do the developer docs need to be updated?

@JoerivanEngelen
Copy link
Contributor Author

JoerivanEngelen commented Aug 21, 2025

  1. I hope the issue description was clear enough on this, but it apparently is necessary to provide a file in a standardized form what packages are installed along with iMOD Python for a GA release.
  2. See this link
  3. Ideally yes. Could be at least part of update pixi.toml pipeline?
  4. Good point! I can extend the PR template with an additional checkbox.
  5. See answer 3.
  6. I don't think so, as long as 3 and 4 done? It's also part of our release form.

UPDATE: I just extended the PR template

Copy link

@Manangka
Copy link
Collaborator

Can you make an issue for extending the pixi update pipeline and assign me?

I know what a SBOM is but i'm just curious were it is going to be used for. It's probably not for the users but for some internal tool

@JoerivanEngelen
Copy link
Contributor Author

Can you make an issue for extending the pixi update pipeline and assign me?

Done #1643

@JoerivanEngelen JoerivanEngelen merged commit f3c2969 into master Aug 22, 2025
7 checks passed
@JoerivanEngelen JoerivanEngelen deleted the issue_#1639_SBOM_generation branch August 22, 2025 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Investigate SBOM generation
2 participants