feat(ketryx): integrate Ketryx compliance framework with requirements traceability

.github/workflows/_ketryx_report_and_check.yml

@@ -7,6 +7,10 @@ on:
         description: 'Commit message to check for skip markers'
         required: false
         type: string
+
+      commit-sha:
+        required: true
+        type: string
     secrets:
       KETRYX_PROJECT:
         required: false
@@ -18,7 +22,6 @@ env:
   PYTHONIOENCODING: "utf8"
 
 jobs:
-
   ketryx_report_and_check:
     runs-on: ubuntu-latest
     permissions:
@@ -36,37 +39,36 @@ jobs:
           !contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
-          name: test-results-ubuntu-latest          
+          name: test-results-ubuntu-latest
+          path: test-results
 
       - name: Download audit results generated in _audit.yml
         if: |
           !contains(inputs.commit_message, 'skip:ketryx') &&
           !contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
-          name: audit-results          
+          name: audit-results
+          path: audit-results
 
       - name: Report build to Ketryx and check for approval
         if: |
           !contains(inputs.commit_message, 'skip:ketryx') &&
           !contains(github.event.pull_request.labels.*.name, 'skip:ketryx')
         uses: Ketryx/ketryx-github-action@40b13ef68c772e96e58ec01a81f5b216d7710186 # v1.4.0
-        continue-on-error: true # TODO(Helmut): Remove post having Ketryx configured to inspect the main branch
         with:
           project: ${{ secrets.KETRYX_PROJECT }}
           api-key: ${{ secrets.KETRYX_API_KEY }}
+          commit-sha: ${{ inputs.commit-sha }}
           build-name: "ci-cd"
-          check-dependencies-status: true
-          test-junit-path: reports/junit_*.xml
+          test-junit-path: test-results/junit_*.xml
           cyclonedx-json-path: |
-            reports/sbom.json
+            audit-results/sbom.json
           artifact-path: |
-            reports/sbom.spdx
-            reports/licenses.csv
-            reports/licenses.json
-            reports/licenses_grouped.json
-            reports/vulnerabilities.json
-            reports/mypy_junit.xml
-            reports/coverage.xml
-            reports/coverage.md
-            aignostics.log
+            audit-results/sbom.spdx
+            audit-results/licenses.csv
+            audit-results/licenses.json
+            audit-results/licenses_grouped.json
+            audit-results/vulnerabilities.json
+            test-results/coverage.xml
+            test-results/coverage.md

.github/workflows/ci-cd.yml

@@ -73,7 +73,7 @@ jobs:
       contents: read
       id-token: write
       packages: read
-    
+
   test:
     needs: [get-commit-message]
     if: |
@@ -117,15 +117,16 @@ jobs:
       security-events: write
 
   ketryx_report_and_check:
-    needs: [get-commit-message, lint, audit, test, codeql] 
-    uses: ./.github/workflows/_ketryx_report_and_check.yml
+    needs: [get-commit-message, lint, audit, test, codeql]
     if: |
       (!contains(needs.get-commit-message.outputs.commit_message, 'skip:ci')) &&
       (!contains(needs.get-commit-message.outputs.commit_message, 'build:native:only')) &&
       !(github.ref_type == 'branch' && startsWith(needs.get-commit-message.outputs.commit_message, 'Bump version:')) &&
       (!contains(github.event.pull_request.labels.*.name, 'skip:ci')) &&
       (!contains(github.event.pull_request.labels.*.name, 'build:native:only'))
+    uses: ./.github/workflows/_ketryx_report_and_check.yml
     with:
+      commit-sha: ${{ github.event.pull_request.head.sha || github.sha }}
       commit_message: ${{ needs.get-commit-message.outputs.commit_message }}
     permissions:
       attestations: write