chore(deps): add humantime as v0.5 wiring placeholder + dogfood demo#1
Closed
chore(deps): add humantime as v0.5 wiring placeholder + dogfood demo#1
Conversation
Metbcy
added a commit
that referenced
this pull request
Apr 29, 2026
GitHub Actions resolves a composite action's manifest at the repo root by default. Our manifest lived at action/action.yml since v0.1.0, which means consumers writing the documented form - uses: Metbcy/bomdrift@v1 hit the runner error Can't find 'action.yml', 'action.yaml' or 'Dockerfile' for action 'Metbcy/bomdrift@v1'. Every README example, every docs site snippet, every workflow we ever wrote used the @v1 form — all of them broken since shipping. The bug was inert through v0.4.2 because nobody had actually tried to invoke the action; bomdrift's own dogfood SBOM-diff workflow (60e772d) was the first to do so and failed in 7 seconds with the above error. This commit moves action.yml and entrypoint.sh to the repo root. The `${{ github.action_path }}/entrypoint.sh` reference inside action.yml continues to resolve correctly — that variable points at whatever directory contains the loaded action manifest, so moving the files keeps the relative reference intact. Bumps Cargo.toml + Cargo.lock + CHANGELOG to v0.4.3 patch release. No source-code logic change; pure layout fix. After tagging v0.4.3 and bumping @v1, the bomdrift dogfood workflow on PR #1 should rerun and succeed (and post the long- awaited first dogfood comment). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Metbcy
force-pushed
the
dogfood/test-pr-strsim-bump
branch
from
b4e427e to
2290c07
Compare
SBOM diff
Added (1)Show details
False positive? Report it · Suppress a finding? Comment |
Metbcy
added a commit
that referenced
this pull request
Apr 29, 2026
…stdout Two bugs that have been latent since v0.1.0 and surfaced together when bomdrift's dogfood workflow (PR #1) tried to actually invoke Metbcy/bomdrift@v1 for the first time. The chain of failure 1. download_bomdrift() emits ::group::bomdrift: Downloading... via `log()`, which writes to stdout. Same for ::endgroup::. 2. cosign verify-blob writes "Verified OK" to stdout. 3. The caller captures download_bomdrift's stdout: `bin="$(download_bomdrift ...)"`. So $bin ends up as ::group::... + Verified OK + ::endgroup:: + the actual binary path, all concatenated. 4. main() then runs `"$bin" "${args[@]}"`. Bash tries to exec a "command" called `::group::bomdrift: Downloading...`. Linux responds with `File name too long` (the path-as-string is too long for the kernel's exec limits). 5. bomdrift never actually runs. The wrapping `run_diff` function tee's its stdout into a tempfile (which becomes the PR comment body). The tempfile contains only `run_diff`'s own ::group::...::endgroup:: directives — no diff. 6. The PR comment lands as `<!-- bomdrift:diff -->\n::group::... \n::endgroup::`. The world's most useless comment. Fix - log() and endlog() write to stderr instead of stdout. GitHub Actions parses workflow commands from both streams, so the job-log UI grouping is preserved while the stdout streams stay clean for the data they're carrying. - download_bomdrift() additionally does `exec 3>&1 1>&2` at the top, redirecting its entire work region to stderr, then restores stdout via `exec 1>&3 3>&-` just before the final `printf '%s' "$bin"`. Catches every other stdout-leaking command in the function (cosign, any curl progress mode, future tar verbosity, etc.). The captured value is now guaranteed to be exactly the binary path. Local smoke test shape $ mock_download() { exec 3>&1 1>&2 log "Downloading" # -> stderr echo "cosign output" # -> stderr (because of exec) endlog # -> stderr exec 1>&3 3>&- printf '%s' "/tmp/bomdrift-binary" # -> original stdout } $ bin="$(mock_download)" $ echo "[$bin]" [/tmp/bomdrift-binary] Bumps Cargo.toml + Cargo.lock + CHANGELOG to v0.4.4. After tagging v0.4.4 and bumping @v1, the dogfood workflow on PR #1 should rerun and produce a correctly-rendered comment with humantime@2.3.0 in the Added section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Metbcy
force-pushed
the
dogfood/test-pr-strsim-bump
branch
from
2290c07 to
61cb2a1
Compare
Metbcy
added a commit
that referenced
this pull request
Apr 29, 2026
The first successful dogfood run on PR #1 showed the comment landing correctly with humantime@2.3.0 in the Added section, but also with five `file:` ecosystem entries in both Added and Removed: | file | /home/runner/work/bomdrift/bomdrift/.github/workflows/ci.yml | | file | /home/runner/work/bomdrift/bomdrift/base/.github/workflows/ci.yml | ... Syft's default cataloger set walks the filesystem and emits each YAML workflow + lockfile as a `file:`-ecosystem component. The path differs between the PR-head checkout (`/home/runner/work/bomdrift/bomdrift/...`) and the base-ref checkout (`./base/...`), so every file shows up as both an "added" and a "removed" component in the diff — pure noise. Pinning `SYFT_DEFAULT_CATALOGERS=rust-cargo-lock,rust-modules` limits the scan to Rust-package metadata only. The dogfood diff now shows just the actual Cargo dependency changes. This is a workflow-config tweak local to bomdrift's own dogfood; the underlying noise is also a real-world issue for any consumer using anchore/sbom-action@v0 with default catalogers on a non- Rust project. Filed as a v0.5 bomdrift consideration: should the parser filter out `Ecosystem::Other("file")` components, or should the docs warn users to scope their Syft scan? Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Metbcy
force-pushed
the
dogfood/test-pr-strsim-bump
branch
4 times, most recently
from
bdc67a5 to
df05a1e
Compare
5 tasks
Adds humantime ^2 to runtime dependencies. Currently unused; the intent is to humanize maintainer-age "X days ago" formatting in the rendered output once the v0.5 calibration work picks it up. Pulling it in as a separate PR rather than bundling with the v0.5 feature commit lets the dogfood SBOM-diff workflow on bomdrift's own repo (introduced in 60e772d) exercise the action's end-to-end Added-component path on a real Cargo dep change. This PR is the first dogfood test — if the action works, the comment showing humantime@2.3.0 as an Added component should appear below. If the demo lands cleanly, this PR can either be merged (humantime sits as a no-op runtime dep until v0.5 wires it) or reverted with a "demo successful, reverting until actually used" note. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Metbcy
force-pushed
the
dogfood/test-pr-strsim-bump
branch
from
df05a1e to
ed4a947
Compare
Owner
Author
|
Closing as legacy. This PR was the v0.5-era dogfood smoke test for the SBOM-diff Action; bomdrift has since shipped through v0.6.0, v0.6.1, and the v0.9.x line, so the comment-history proof on this PR is the artifact we wanted. Merging the snapshot at this point would actually revert the project (diff vs Follow-up dogfood happens organically through every release-prep PR now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the first dogfood test of the SBOM-diff Action wired up in
60e772d. If everything works end-to-end, a bomdrift comment should
appear on this PR within ~30s of opening, showing
humantime@2.3.0as an Added component.
What this PR does
humantime = "2"to[dependencies]. Currently unused; theintent is to humanize the maintainer-age enricher's "X days ago"
formatting in v0.5.
Cargo.lockto pinhumantime@2.3.0.What we're testing
Cargo.toml-touching PR. ✓ (you're seeing this)anchore/sbom-action@v0generates a CycloneDX SBOM from the Rustmanifest at the PR head + the base ref.
Metbcy/bomdrift@v1downloads the v0.4.2 release archive,cosign-verifies it, runs
bomdrift diff before.json after.json,and posts the rendered markdown as a PR comment marked
<!-- bomdrift:diff -->.humantime@2.3.0as an Addedcomponent and surfaces no other (false-positive) signals.
Disposition
If the comment lands cleanly:
humantimesit as a no-op until v0.5 wires it, ORthe dogfood proof exists in the PR's comment history.
If the comment fails or shows wrong content, that's a bug in the
action / SBOM generator / bomdrift itself — investigate and fix
before merging.