current implementation utilizes https://github.com/CycloneDX/cyclonedx-node-module/
in version @<4
v3 is deprecated. v4 became a meta package, utilizing special implmentations for npm, pnpm, yarn, ...
GOAL: rework this GH action:
- input (intended to be as much backward compatible as possible, to not break users of
@master version to much)
path to the project dir - default to ./cyclonedx-version: {1.4, 1.3, ...} - default to latest`output: output file - default to ./bom.xml- package-manager: {
npm, pnpm, yarn, yarn2}
- it is expected that the env anlready has a node env setup and the packagemanager is installed.
- auto-detection: based on lock file type
- it could detect existence of {npm,pnpm,yarn}-lockfile
- process:
- if the tools are not yet available in the current target env, then
the needed appropriate tools are installed with the according eco system (npx i/pnpm add,yarn add) in a temp dir
- the appropriate application is run from that temp dir
- if there is no appropriate application (yet) the GH action exists with an error, prints a info message.
internally
change process:
current implementation utilizes https://github.com/CycloneDX/cyclonedx-node-module/
in version
@<4v3 is deprecated. v4 became a meta package, utilizing special implmentations for npm, pnpm, yarn, ...
GOAL: rework this GH action:
@masterversion to much)pathto the project dir - default to./cyclonedx-version: {1.4,1.3, ...} - default to latest`output: output file - default to./bom.xmlnpm,pnpm,yarn,yarn2}the needed appropriate tools are installed with the according eco system (
npx i/pnpm add,yarn add) in a temp dirinternally
change process:
use @v1- instead of@master1.xv2and so on ...@master- the master branch must be working all the time - do development in a dedicated temp branch !