update slack message/add version tag for owsap project

[shichengripple001]

High Level Overview of Change

update slack channel for infosec review message
add version tag for owsap dependency tracking project

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

Did you update HISTORY.md?

• Yes
• No, this change does not impact library users

Test Plan

[coderabbitai]

Walkthrough

Modified the GitHub Actions release workflow to enable automatic SBOM project creation with configurable names and versions instead of fixed project IDs, updated the security review Slack notification channel, and simplified the release job step naming.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration \\.github/workflows/release.yml	SBOM upload: Removed fixed project ID, added autoCreate, projectName, and projectVersion fields for automatic project creation. Slack notification: Changed security-review channel from #xrpl-js to #ripplex-security. Release job: Simplified step name from "Release Pipeline for..." to "Release for...".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• update slack message and update step description #3098: Modifies the same workflow file with updates to Slack messages and release job naming conventions.
• Release pipeline #3039: Makes targeted edits to .github/workflows/release.yml adjusting OWASP SBOM configuration, Slack channels, and release workflow step names.

Suggested reviewers

• ckeshava
• pdp2121
• achowdhry-ripple
• kuan121
• Patel-Raj11

Poem

🐰 The workflow hops with SBOM's grace,
Auto-projects now find their place,
Slack channels reroute the news,
Release steps shed their verbose ruse—
Pipeline clean, efficient race! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description is largely incomplete and does not meet the template requirements. While the "High Level Overview of Change" section is filled with two concise bullet points, all other critical sections are missing or unchecked: the "Context of Change" section contains only template comments with no actual content, no "Type of Change" checkbox is selected despite the clear options provided, the "Did you update HISTORY.md?" status is not indicated, and the "Test Plan" section is entirely empty. This leaves significant gaps in understanding the rationale, impact classification, and testing verification for these changes.	The author should complete the PR description by: selecting an appropriate "Type of Change" checkbox (likely "Refactor" given the workflow and configuration updates), providing context for why the Slack channel was changed and how the OWASP versioning improves project tracking, indicating whether HISTORY.md was updated, and providing a brief test plan describing how these workflow changes were verified.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "update slack message/add version tag for owsap project" is partially related to the changeset. It accurately refers to two real changes: the Slack notification channel update (from #xrpl-js to #ripplex-security) and the addition of version fields for the OWASP project auto-creation. However, the title is somewhat incomplete as it omits the third change regarding release workflow naming updates, and it could be more specific about what aspects are being changed. The title is not misleading or off-topic, and it conveys meaningful information about the primary changes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

501-501: Slack channel correctly updated for security team review.

The change correctly targets the security team notification to #ripplex-security while preserving #xrpl-js for dev team and release notifications. This intentional separation of concerns aligns well with the PR objectives.

Ensure that the #ripplex-security Slack channel exists, is monitored by the intended security team, and has appropriate permissions for the Slack bot user.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9e7b328 and 08be1c5.

📒 Files selected for processing (1)

• .github/workflows/release.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: browser (24.x)
• GitHub Check: integration (24.x)
• GitHub Check: unit (20.x)
• GitHub Check: unit (22.x)
• GitHub Check: integration (20.x)
• GitHub Check: integration (22.x)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

.github/workflows/release.yml (2)

524-524: Release job name simplified.

The job name is now more concise and readable without the "Pipeline" prefix. No functional impact.

---

206-208: Verify the per-version project model aligns with your vulnerability tracking strategy.

The code change replaces a fixed project ID with auto-creation using projectName and projectVersion. The OWASP Dependency-Track API v1 /api/v1/bom endpoint fully supports these parameters (projectName, projectVersion, autoCreate), so this is a valid technical implementation.

This shifts from updating a single managed OWASP project to creating a new project for each release version. Confirm this aligns with:

• How you track and retain vulnerability data across releases
• Any existing project organization or reporting workflows in OWASP