fix(sbom): only generate SBOMs on prod branches, integ branches and release tags (b409e122) · Commits · to be continuous... / sbt

README.md

+1 −0

Original line number	Diff line number	Diff line
		@@ -146,6 +146,7 @@ It is bound to the `test` stage, and uses the following variables:
		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `sbom-disabled` / `SBT_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `SBT_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-image` / `SBT_SBOM_IMAGE` \| The syft image used for SBOM analysis \| `registry.hub.docker.com/anchore/syft:debug` \|
		\| `sbom-opts` / `SBT_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `dir:sbt-cache/coursier --catalogers java-cataloger` \|

+8 −0

Original line number	Diff line number	Diff line
		@@ -43,6 +43,14 @@
		"description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
		"disable_with": "SBT_SBOM_DISABLED",
		"variables": [
		{
		"name": "TBC_SBOM_MODE",
		"type": "enum",
		"values": ["onrelease", "always"],
		"description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
		"advanced": true,
		"default": "onrelease"
		},
		{
		"name": "SBT_SBOM_IMAGE",
		"default": "registry.hub.docker.com/anchore/syft:debug",

+18 −1

Original line number	Diff line number	Diff line
		@@ -102,7 +102,18 @@ workflow:
		# else (Ready MR): auto & failing
		- when: on_success

		# software delivery job prototype: run on production and integration branches + release pipelines
		.delivery-policy:
		rules:
		# on tag with release pattern
		- if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
		# on production or integration branch(es)
		- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF \|\| $CI_COMMIT_REF_NAME =~ $INTEG_REF'

		variables:
		# Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
		TBC_SBOM_MODE: "onrelease"

		# SBT image (can be overridden)
		SBT_IMAGE: $[[ inputs.image ]]

		@@ -461,7 +472,13 @@ sbt-sbom:
		# exclude if disabled
		- if: '$SBT_SBOM_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]
		# 'always' mode: run
		- if: '$TBC_SBOM_MODE == "always"'
		# exclude unsupported modes
		- if: '$TBC_SBOM_MODE != "onrelease"'
		when: never
		# 'onrelease' mode: use common software delivery rules
		- !reference [.delivery-policy, rules]

		sbt-publish-snapshot:
		extends: .sbt-base

Original line number	Diff line number	Diff line
		@@ -146,6 +146,7 @@ It is bound to the `test` stage, and uses the following variables:
		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `sbom-disabled` / `SBT_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `SBT_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-image` / `SBT_SBOM_IMAGE` \| The syft image used for SBOM analysis \| `registry.hub.docker.com/anchore/syft:debug` \|
		\| `sbom-opts` / `SBT_SBOM_OPTS` \| Options for syft used for SBOM analysis \| `dir:sbt-cache/coursier --catalogers java-cataloger` \|