ci: fix dependency-scan SBOM workflow to scan released packages#1287
ci: fix dependency-scan SBOM workflow to scan released packages#1287
Conversation
|
@launchdarkly/js-sdk-common size report |
|
@launchdarkly/js-client-sdk size report |
|
@launchdarkly/browser size report |
|
@launchdarkly/js-client-sdk-common size report |
joker23
force-pushed
the
skz/sdk-2170/ci-SBOM
branch
10 times, most recently
from
6cec276 to
4a19c4d
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
joker23
force-pushed
the
skz/sdk-2170/ci-SBOM
branch
from
4a19c4d to
4f896fa
Compare
joker23
changed the title
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
1 issue from previous review remains unresolved.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 4f896fa. Configure here.
joker23
force-pushed
the
skz/sdk-2170/ci-SBOM
branch
from
4f896fa to
b2ce177
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
Going to wait until launchdarkly/gh-actions#81 merges so we can ensure that the dependencies are present to be scanned. |
joker23
force-pushed
the
skz/sdk-2170/ci-SBOM
branch
2 times, most recently
from
e9a4588 to
cd8590e
Compare
joker23
force-pushed
the
skz/sdk-2170/ci-SBOM
branch
from
cd8590e to
36b5ac5
Compare
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 36b5ac5. Configure here.
… SBOM The dependency-scan workflow has been silently broken since it was added (SEC-7263). cdxgen internally runs `yarn install` but corepack was never enabled, so it fell back to system yarn 1.x, failed silently, and produced a 0-component BOM. OPA then evaluated the empty BOM and vacuously passed. - Enable corepack and install deps before the shared generate-sbom action - Add a non-zero component guard so empty scans fail loudly - Document that this workflow checks license compliance, not CVEs Fixes: SDK-2170 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Yarn Berry auto-enables immutable installs in CI, but this repo gitignores yarn.lock, so the install fails. Match the pattern used in react.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Point generate-sbom at the skz/ignore-optional branch of gh-actions which adds --omit optional to cdxgen. This should exclude @img/sharp-libvips-* (LGPL-3.0, optional deps of sharp via Next.js) from the SBOM. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…itives Revert the omit-optional gh-actions branch (didn't filter transitive optionals). Instead, set YARN_SUPPORTED_ARCHITECTURES to empty arrays so yarn skips all platform-specific optional deps (like @img/sharp-libvips-*) during install. If they're not in node_modules, cdxgen won't pick them up. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
YARN_SUPPORTED_ARCHITECTURES env var doesn't work as JSON in Yarn 3.4.1. Use yarn config set with --json flag to set each sub-key individually. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use yarn workspaces focus to install only dependencies of released packages (from .release-please-manifest.json). This excludes example apps and contract tests that bring in LGPL transitive deps like @img/sharp-libvips (via Next.js) which don't ship in published SDKs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
joker23
force-pushed
the
skz/sdk-2170/ci-SBOM
branch
from
36b5ac5 to
d73db95
Compare
joker23
changed the title
2 participants
Summary
The
dependency-scan.ymlworkflow has been silently broken since it was added (SEC-7263, Nov 2025). Every run produces a 0-component SBOM and vacuously passes the license policy check.yarn installbut corepack was never enabled, so it fell back to system yarn 1.x, failed silently, and produced an empty BOMyarn workspaces focus) before cdxgen runs@img/sharp-libvipsvia Next.js)Changes
.github/workflows/dependency-scan.yml-- add node setup, corepack, and scoped dependency install before SBOM generationscripts/released-packages.js-- new script that reads.release-please-manifest.jsonand prints workspace names of all released packagesTest plan
Dependency Scanworkflow runs green on this PRFixes SDK-2170
🤖 Generated with Claude Code
Note
Low Risk
Low risk since this only changes CI dependency-scanning behavior, but it could cause the
Dependency Scanworkflow to fail if Yarn workspace focusing or the released-packages list is incorrect.Overview
Fixes the
Dependency ScanGitHub Action so SBOM generation runs with the intended Node/Yarn toolchain and produces a non-empty BOM.The workflow now sets up Node 20, enables
corepack, installs dependencies for released workspaces viayarn workspaces focus $(node scripts/released-packages.js), and passesensure-non-empty: 'true'to the SBOM generator.Adds
scripts/released-packages.js, which reads.release-please-manifest.jsonand prints the corresponding workspace package names to drive the focused install.Reviewed by Cursor Bugbot for commit d73db95. Bugbot is set up for automated code reviews on this repo. Configure here.