Commit 59981ea3 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

fix(sbom): only generate SBOMs on prod branches, integ branches and release tags

parent 9a74d04a

README.md

+1 −0
Original line number Diff line number Diff line
@@ -359,6 +359,7 @@ It is bound to the `test` stage, and uses the following variables: 
| Input / Variable                     | Description                                                 | Default value        |

| ------------------------------------ | ----------------------------------------------------------- | -------------------- |

| `sbom-disabled` / `NG_SBOM_DISABLED` | Set to `true` to disable this job                           | _none_               |

| `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `NG_SBOM_DISABLED` takes precedence | `onrelease` |

| `sbom-version` / `NG_SBOM_VERSION`   | The version of @cyclonedx/cyclonedx-npm used to emit SBOM   | _none_ (uses latest) |

| `sbom-opts` / `NG_SBOM_OPTS`         | Options for @cyclonedx/cyclonedx-npm used for SBOM analysis | `--omit dev`         |

kicker.json

+8 −0
Original line number Diff line number Diff line
@@ -142,6 +142,14 @@ 
      "description": "This job generates a file listing all dependencies using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm)",

      "disable_with": "NG_SBOM_DISABLED",

      "variables": [

        {

          "name": "TBC_SBOM_MODE",

          "type": "enum",

          "values": ["onrelease", "always"],

          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",

          "advanced": true,

          "default": "onrelease"

        },

        {

          "name": "NG_SBOM_VERSION",

          "description": "Version of the @cyclonedx/cyclonedx-npm used for SBOM analysis",

templates/gitlab-ci-angular.yml

+18 −1
Original line number Diff line number Diff line
@@ -133,7 +133,18 @@ workflow: 
    # else (Ready MR): auto & failing

    - when: on_success



# software delivery job prototype: run on production and integration branches + release pipelines

.delivery-policy:

  rules:

    # on tag with release pattern

    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'

    # on production or integration branch(es)

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'



variables:

  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)

  TBC_SBOM_MODE: "onrelease"



  # Default ng workspace

  NG_WORKSPACE_DIR: $[[ inputs.workspace-dir ]]

  # Default Docker image for ANGULAR CLI (can be overridden)
@@ -797,7 +808,13 @@ ng-sbom: 
    # exclude if disabled

    - if: '$NG_SBOM_DISABLED == "true"'

      when: never

    - !reference [.test-policy, rules]

    # 'always' mode: run

    - if: '$TBC_SBOM_MODE == "always"'

    # exclude unsupported modes

    - if: '$TBC_SBOM_MODE != "onrelease"'

      when: never

    # 'onrelease' mode: use common software delivery rules

    - !reference [.delivery-policy, rules]



###############################################################################################

#                                      publish stage:                                         #