You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed in the SIG meeting a few weeks ago, we'd like to move license/compliance/provenance rules out of bazelbuild/rules_license and make it owned by the community.
Therefore, we'd like to create bazel-contrib/supply-chain to host the rules and providers for declaring package metadata like licenses.
This will be a new GitHub repo with multiple bzlmod repos (looking to start with 2, but planning to extend over time to cover other areas of the supply chain).
package_metadata will contain providers for declaring package metadata (e.g., PURL of the package, its license, GH repo it's hosted on, ...) and rules for injecting the providers into the build graph (e.g., via package(default_package_metadata=["//:metadata"]). We expect that virtually every bzlmod repo will depend on this (including rule sets), so we're making this a separate repo without any dependencies to not pull in any rules/languages that users/companies might not want and thus prevents them from using package_metadata.
rules_sbom will contain rules that generate a SBOM (file) for a target by traversing the transitive dependencies to collect package_metadata for everything in the transitive closure of said target.
Checklist:
Must use an open-source license, preferably Apache-2.0.
Must have wide applicability in the community.
Must have a clear point of contact who answers questions from the SIG.
Must be “production quality”:
clear README or other documentation outlining the goal of these rules, how to use them etc.
generated API documentation
include examples of use
tests that are running continuously
Must reply to issues/PRs in 2-3 weeks (exact service level agreement TBD)
Must have more than one person who is committed to review/approve PRs
We recommend encoding this as a CODEOWNERS file.
see points of contact above
Must publish semver releases.
Optional: follow the same release pattern as the rules-template does.
rules_license will become a shim to package_metadata. I think the expectation is that people still migrate to use package_metadata directly instead of going through the shim, but we'll make sure that there's a smooth migration path with the shims
As discussed in the SIG meeting a few weeks ago, we'd like to move license/compliance/provenance rules out of
bazelbuild/rules_license
and make it owned by the community.Therefore, we'd like to create
bazel-contrib/supply-chain
to host the rules and providers for declaring package metadata like licenses.This will be a new GitHub repo with multiple bzlmod repos (looking to start with 2, but planning to extend over time to cover other areas of the supply chain).
package_metadata
will contain providers for declaring package metadata (e.g., PURL of the package, its license, GH repo it's hosted on, ...) and rules for injecting the providers into the build graph (e.g., viapackage(default_package_metadata=["//:metadata"])
. We expect that virtually every bzlmod repo will depend on this (including rule sets), so we're making this a separate repo without any dependencies to not pull in any rules/languages that users/companies might not want and thus prevents them from usingpackage_metadata
.rules_sbom
will contain rules that generate a SBOM (file) for a target by traversing the transitive dependencies to collectpackage_metadata
for everything in the transitive closure of said target.Checklist:
clear README or other documentation outlining the goal of these rules, how to use them etc.
generated API documentation
include examples of use
tests that are running continuously
We recommend encoding this as a CODEOWNERS file.
Optional: follow the same release pattern as the rules-template does.
The text was updated successfully, but these errors were encountered: