fix(sbom): only generate SBOMs on prod branches, integ branches and release tags

README.md

@@ -454,6 +454,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | Input / Variable                         | Description                             | Default value                                                                                                           |
 | ---------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
 | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job       | _none_                                                                                                                  |
+| `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease`
 | `sbom-image` / `DOCKER_SBOM_IMAGE`       | The docker image used to emit SBOM      | `registry.hub.docker.com/anchore/syft:debug`                                                                            |
 | `sbom-opts` / `DOCKER_SBOM_OPTS`         | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
 

kicker.json

@@ -197,6 +197,14 @@
       "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
       "disable_with": "DOCKER_SBOM_DISABLED",
       "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
         {
           "name": "DOCKER_SBOM_IMAGE",
           "default": "registry.hub.docker.com/anchore/syft:debug"

templates/gitlab-ci-docker.yml

@@ -216,7 +216,18 @@ workflow:
     # else (Ready MR): auto & failing
     - when: on_success
 
+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+  rules:
+    # on tag with release pattern
+    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+    # on production or integration branch(es)
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
 variables:
+  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+  TBC_SBOM_MODE: "onrelease"
+
   DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
   DOCKER_IMAGE: $[[ inputs.image ]]
   DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
@@ -250,6 +261,8 @@ variables:
   PROD_REF: '/^(master|main)$/'
   # default integration ref name (pattern)
   INTEG_REF: '/^develop$/'
+  # default release tag name (pattern)
+  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/'
 
   # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
   DOCKER_METADATA: $[[ inputs.metadata ]]
@@ -1025,10 +1038,17 @@ docker-sbom:
       cyclonedx:
         - "reports/docker-sbom-*.cyclonedx.json"
   rules:
-    # exclude if disabled
+    # exclude if disabled (template specific)
     - if: '$DOCKER_SBOM_DISABLED == "true"'
       when: never
-    - !reference [.test-policy, rules]
+    # 'always' mode: run
+    - if: '$TBC_SBOM_MODE == "always"'
+    # exclude unsupported modes
+    - if: '$TBC_SBOM_MODE != "onrelease"'
+      when: never
+    # 'onrelease' mode: use common software delivery rules
+    - !reference [.delivery-policy, rules]
+
 
 # ==================================================
 # Stage: publish