Open
Conversation
sbomnix creates much better SBOMs than tom-bombadil. Also, we can adhere to our new rule to have one SBOM file per thing.
zebot
added
the
ok-to-test
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the repository’s SBOM tooling to cover additional Nix-based build artifacts, aligning SBOM generation/upload workflows with the ongoing SBOM creation epic.
Changes:
- Extend
make sbomsto include SBOM generation for Nix-built Docker images and Nix devShells. - Add new
hack/binscripts to generate CycloneDX SBOMs viasbomnix, and update upload logic to include the new SBOM categories. - Add
sbomnixas a Nix flake input and include it in the SBOM devShell toolchain.
Reviewed changes
Copilot reviewed 2 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
Makefile |
Adds new sboms-nix-* targets and includes them in the aggregate sboms target. |
hack/bin/upload-all-sboms.sh |
Makes SBOM uploads conditional on directory presence and adds upload handling for Nix Docker image + devShell SBOMs. |
hack/bin/create-nix-docker-image-sboms.sh |
New script to generate runtime/buildtime SBOMs for Nix-built Docker images using sbomnix. |
hack/bin/create-nix-devshell-sbom.sh |
New script to generate runtime/buildtime SBOMs for Nix devShells using sbomnix. |
hack/bin/create-helm-sboms.sh |
Updates Helm templating to pass minimal values for specific charts to satisfy required checks. |
flake.nix |
Adds sbomnix input and exposes it in the SBOM devShell packages. |
flake.lock |
Locks sbomnix and its transitive inputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
supersven
force-pushed
the
sventennie/sbomnix
branch
from
e7fd8c0 to
cbe84d6
Compare
blackheaven
approved these changes
Apr 2, 2026
Also, fail if this goes wrong to spot missing template replacements early.
supersven
force-pushed
the
sventennie/sbomnix
branch
from
cbe84d6 to
ecc5d25
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use
sbomnixto create SBOMs for Nix-generated docker images and flakedevShells. (It's much better than tom-bombadil regarding speed and completeness.)Also, adjust the Helm template-ing after inlining other charts into
wire-server.The result of the whole workflow can be seen here: https://deptrack.wire.link/projects/1ac04e80-0376-413c-a26b-5ac0dd857338/collectionprojects
Ticket: https://wearezeta.atlassian.net/browse/WPB-20616
Checklist
changelog.d