chore(quality): SBOM as release asset only — drop in-repo commit step#34
Merged
rubenvdlinde merged 1 commit intomainfrom May 1, 2026
Merged
chore(quality): SBOM as release asset only — drop in-repo commit step#34rubenvdlinde merged 1 commit intomainfrom
rubenvdlinde merged 1 commit intomainfrom
Conversation
The SBOM job in the central reusable Quality workflow used to commit the generated `sbom.cdx.json` back to the calling repo's main branch on every push. That created two problems: 1. **PAT pressure** — pushing to a protected `main` from a workflow needed either an admin override (each PR via `--admin`) or a PAT/GitHub App with bypass on `sbom.cdx.json`. PATs in repo secrets are a security liability we want to avoid. 2. **Workflow self-recursion + double-fire of release/CI workflows** — every SBOM commit triggered another push event that re-ran the Quality workflow (regenerating the same SBOM → no-op → still a CI minute), and could fire downstream workflows (release-to-appstore, etc.) that watch `push: main`. Fix: don't commit. Publish exclusively via two channels that already exist: - **Workflow artifact** (90-day retention) — for internal CI audit/replay. - **Release asset** on every tag push — stable URL for downstream consumers via `https://github.com/ConductionNL/<app>/releases/latest/download/sbom.cdx.json`. Both channels are already implemented by the existing `Upload SBOM artifact` + `Attach SBOM to release` steps, which are kept unchanged. Removed: - `Commit SBOM` step (the only step that wrote back to the repo). - `token: ${{ secrets.GITHUB_TOKEN }}` from the SBOM checkout step (no push privilege needed anymore). Added: SECURITY.md "Software Bill of Materials" section documenting the consumer contract — stable URLs, format (CycloneDX 1.5 JSON), update cadence (per release), verification gates (Grype + composer audit + npm audit), and where to report SBOM issues. Per-app fan-out (separate PRs): each app deletes its `.github/workflows/sbom.yml` (the central job replaces it), removes the checked-in `sbom.cdx.json`, and adds it to `.gitignore`.
rubenvdlinde
added a commit
to ConductionNL/docudesk
that referenced
this pull request
May 1, 2026
…asset only) (#113) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/docudesk/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/mydash
that referenced
this pull request
May 1, 2026
…asset only) (#86) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/mydash/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/nextcloud-app-template
that referenced
this pull request
May 1, 2026
…asset only) (#24) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/nextcloud-app-template/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/nldesign
that referenced
this pull request
May 1, 2026
…asset only) (#58) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/nldesign/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/opencatalogi
that referenced
this pull request
May 1, 2026
…asset only) (#507) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/opencatalogi/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/openconnector
that referenced
this pull request
May 1, 2026
…asset only) (#735) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/openconnector/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/openregister
that referenced
this pull request
May 1, 2026
…asset only) (#1386) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/openregister/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
to ConductionNL/shillinq
that referenced
this pull request
May 1, 2026
…asset only) (#68) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/shillinq/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde
added a commit
that referenced
this pull request
May 1, 2026
…#35) Documents the org-wide rules so new and existing apps know exactly how to wire CI: - One central reusable Quality workflow at ConductionNL/.github - Every app calls it via a thin wrapper at .github/workflows/code-quality.yml - No per-app duplication of quality logic - SBOM follows from central job → release asset (see SECURITY.md) - Branch flow: feature/* → development → beta → main with the protection matrix described Triggered by drift discovered in the audit after the SBOM cleanup (#34): three apps had non-canonical wrapper filenames (quality-check.yml, quality.yml) and one app (openconnector) duplicates quality logic instead of consuming the central workflow.
rubenvdlinde
added a commit
to ConductionNL/mydash
that referenced
this pull request
May 3, 2026
…asset only) (#86) The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs exclusively as release assets — see SECURITY.md "Software Bill of Materials". This PR cleans up the per-app remnants: - delete .github/workflows/sbom.yml (the central job replaces it) - delete the checked-in sbom.cdx.json (release asset is the source of truth) - gitignore SBOM files so future generations don't accidentally land in repo Stable URL for clients: https://github.com/ConductionNL/mydash/releases/latest/download/sbom.cdx.json Co-authored-by: SBOM Cleanup <ops@conduction.nl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Drops Commit-SBOM step from central Quality workflow. Adds SECURITY.md SBOM section. SBOM continues to ship as workflow artifact (90d) + release asset on tag push. Stable URLs: https://github.com/ConductionNL//releases/latest/download/sbom.cdx.json. Per-app cleanup PRs follow.