SBOM github action still not triggering

[mstoykov]

What?

Initially added in #3089 and tried to be fixed in #3254 - the sbom github action did not trigger for the v0.46.0 release.

Fix:

I have no idea what is going on ... and I guess we can just make it part of the release action instead and that will work 🤷

[tungbq]

Hello, I have a look at the issue and here is what's my finding so far:

There has a similar issue discussed at https://github.com/orgs/community/discussions/27028
There is a limitation of workflow: An action in a workflow run can’t trigger a new workflow run.

When you use GITHUB_TOKEN in your actions, all of the interactions with the repository are on behalf of the Github-actions bot. The operations act by Github-actions bot cannot trigger a new workflow run.

That's what's going on in our release:

• Looking at the release we could see that it was published by the github-action bot
  
• Then that release event generated by github-action bot cannot trigger a new workflow run
• That's why the Try to fix sbom-report.yml #3254 change did not work

I think we possibly have 3 approaches to resolve this issue:

1. Same as @mstoykov idea - we can just make it part of the release action instead

2. Use our own PAT when creating release. We can store your PAT in secrets and use ${{ secrets.PATNAME } in our actions.

   env:
      GITHUB_TOKEN: ${{ secrets. PATNAME }}
   

   Downside: I personally think adding a PAT to every repo in our organization is not a good option. Also, we'd need the admin permission to add the credentials

3. Update https://github.com/grafana/k6/blob/master/.github/workflows/sbom-report.yml workflow to run on tag created event instead

   on:
     push:
       tags:
         - v*
   

Not sure which is the best approach for our repository, I personally prefer the approach 1.

Please check and give advice if any. Then if we come with the final approach that I could help, I will be willing to open the PR to resolve the issue. Thanks!

[mstoykov]

Thanks for the excellent investigation @tungbq 🙇

Looking at the three option I think we can't do 3 as part of the idea here is to attach this to the release (automatically).

And this is something that won't work as at the creation of the tag the release is not created yet.

Given that 2 seems like a lot more work, I expect that we will go with putting the sbom generation as part of the release process.

If you want I think we can have a PR made by you :)

[tungbq]

Thanks for the excellent investigation @tungbq 🙇

Looking at the three option I think we can't do 3 as part of the idea here is to attach this to the release (automatically).

And this is something that won't work as at the creation of the tag the release is not created yet.

Given that 2 seems like a lot more work, I expect that we will go with putting the sbom generation as part of the release process.

If you want I think we can have a PR made by you :)

Thanks for your kind response and the advice. I've proposed PR #3279 to put the sbom generation as part of the release process. Please have a look and review it. Thanks!