ppkarwasz commented on PR #3502:
URL: https://github.com/apache/solr/pull/3502#issuecomment-3245201303
> Should I include `branch_9x`. wdyt?
It really depends on what you want to achieve.
* **Dependency Graph:** GitHub only uses the graph from the **default
branch** to determine dependent projects. When I tried submitting for another
branch, I got this message:
> Submitted
dependency-graph-reports/dependency\_graph\_submission-dependency-submission.json:
The snapshot was accepted, but it is not for the default branch. It will not
update dependency results for the repository.
So including `branch_9x` won’t affect the dependency graph GitHub shows.
* **SBOM generation:** You *can* still generate an SBOM from a non-default
branch, but the SBOMs GitHub produces are of limited value: they often include
extra dependencies and can only be created for branches (not for release tags).
Personally, I prefer to control SBOM contents more tightly. I’m also working on
[SBOM Enforcer](https://github.com/sbom-enforcer/sbom-enforcer) to enrich SBOMs
with data that other tools miss: for example, shaded dependencies in Hadoop,
which can be retrieved from Hadoop's SBOM (but not POM file). That’s a slow,
ongoing effort, but I think I know how to tackle it.
* **Dependabot Alerts:** In theory, you can get alerts on non-default
branches (by configuring Dependabot to open `0` PRs there). In practice I
haven’t managed to get this working, but I'll try.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
