diff --git a/README.md b/README.md index 7dd350b883a5f749ca3067381d3cd0dac1ada845..a27c7aaa15a4bb16667c36a5dd363357d14ebcf2 100644 --- a/README.md +++ b/README.md @@ -454,6 +454,7 @@ It is bound to the `package-test` stage, and uses the following variables: | Input / Variable | Description | Default value | | ---------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` | `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` | | `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` | diff --git a/kicker.json b/kicker.json index 78bbb8409fb194426436e7ca445f763c96949645..3fc70084db581fff11fe16a2fea27c5c6042c469 100644 --- a/kicker.json +++ b/kicker.json @@ -197,6 +197,14 @@ "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)", "disable_with": "DOCKER_SBOM_DISABLED", "variables": [ + { + "name": "TBC_SBOM_MODE", + "type": "enum", + "values": ["onrelease", "always"], + "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)", + "advanced": true, + "default": "onrelease" + }, { "name": "DOCKER_SBOM_IMAGE", "default": "registry.hub.docker.com/anchore/syft:debug" diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 54c6c6000f878c8c7289820c0f6ada65bfeaf463..f4aea53e1f296a2c05774ad296558bbd7ff5c6c5 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -216,7 +216,18 @@ workflow: # else (Ready MR): auto & failing - when: on_success +# software delivery job prototype: run on production and integration branches + release pipelines +.delivery-policy: + rules: + # on tag with release pattern + - if: '$CI_COMMIT_TAG =~ $RELEASE_REF' + # on production or integration branch(es) + - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF' + variables: + # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs) + TBC_SBOM_MODE: "onrelease" + DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]] DOCKER_IMAGE: $[[ inputs.image ]] DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]] @@ -250,6 +261,8 @@ variables: PROD_REF: '/^(master|main)$/' # default integration ref name (pattern) INTEG_REF: '/^develop$/' + # default release tag name (pattern) + RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/' # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231) DOCKER_METADATA: $[[ inputs.metadata ]] @@ -1025,10 +1038,17 @@ docker-sbom: cyclonedx: - "reports/docker-sbom-*.cyclonedx.json" rules: - # exclude if disabled + # exclude if disabled (template specific) - if: '$DOCKER_SBOM_DISABLED == "true"' when: never - - !reference [.test-policy, rules] + # 'always' mode: run + - if: '$TBC_SBOM_MODE == "always"' + # exclude unsupported modes + - if: '$TBC_SBOM_MODE != "onrelease"' + when: never + # 'onrelease' mode: use common software delivery rules + - !reference [.delivery-policy, rules] + # ================================================== # Stage: publish