From 9742f15c038d40af739acd64ff206ace9f15377d Mon Sep 17 00:00:00 2001 From: Mondo Diaz Date: Thu, 15 Jan 2026 19:15:01 +0000 Subject: [PATCH] Add SBOM generation and atomic Helm deployments - Add SBOM job using Syft to generate SPDX and CycloneDX formats - Add --atomic flag to Helm deployments for auto-rollback on failure - Add gitleaks fingerprints for additional false positives --- .gitlab-ci.yml | 22 ++++++++++++++++++++++ .gitleaksignore | 2 ++ CHANGELOG.md | 2 ++ 3 files changed, 26 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 59d5840..d8d07dd 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -110,6 +110,26 @@ integration_test_feature: - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"' when: on_success +# Generate Software Bill of Materials (SBOM) +sbom: + stage: build + needs: [build_image] + image: deps.global.bsf.tools/docker/anchore/syft:latest + timeout: 10m + variables: + IMAGE_NAME: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp:git.linux-amd64-$CI_COMMIT_SHA + script: + - echo "Generating SBOM for $IMAGE_NAME" + - syft $IMAGE_NAME -o spdx-json=sbom-spdx.json -o cyclonedx-json=sbom-cyclonedx.json + - echo "SBOM generation complete" + - echo "SPDX format:" && head -50 sbom-spdx.json + artifacts: + when: always + expire_in: 1 year + paths: + - sbom-spdx.json + - sbom-cyclonedx.json + # Run Python backend tests python_tests: stage: test @@ -245,6 +265,7 @@ deploy_stage: -f $VALUES_FILE \ --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \ --wait \ + --atomic \ --timeout 5m - kubectl rollout status deployment/orchard-stage-server -n $NAMESPACE --timeout=5m - *verify_deployment @@ -280,6 +301,7 @@ deploy_feature: --set minioIngress.host=minio-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \ --set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \ --wait \ + --atomic \ --timeout 5m - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG-server -n $NAMESPACE --timeout=5m - export BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools" diff --git a/.gitleaksignore b/.gitleaksignore index ec06277..c57613c 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -9,3 +9,5 @@ bccbc71c13570d14b8b26a11335c45f102fe3072:backend/tests/unit/test_storage.py:generic-api-key:381 5c9da9003b844a2d655cce74a7c82c57e74f27c4:backend/tests/unit/test_storage.py:generic-api-key:381 90bb2a3a393d2361dc3136ee8d761debb0726d8a:backend/tests/unit/test_storage.py:generic-api-key:381 +37666e41a72d2a4f34447c0d1a8728e1d7271d24:backend/tests/unit/test_storage.py:generic-api-key:381 +0cc4f253621a9601c5193f6ae1e7ae33f0e7fc9b:backend/tests/unit/test_storage.py:generic-api-key:381 diff --git a/CHANGELOG.md b/CHANGELOG.md index 661cbc1..0c6534e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Added +- Added SBOM (Software Bill of Materials) generation in CI pipeline using Syft (SPDX and CycloneDX formats) - Added GitLab CI pipeline for feature branch deployments to dev namespace (#51) - Added `deploy_feature` job with dynamic hostnames and unique release names (#51) - Added `cleanup_feature` job with `on_stop` for automatic cleanup on merge (#51) @@ -16,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added internal proxy configuration for npm, pip, helm, and apt (#51) ### Changed +- Added `--atomic` flag to Helm deployments for automatic rollback on failure - Adjusted dark mode color palette to use lighter background tones for better readability and reduced eye strain (#52) - Replaced project card grid with sortable data table on Home page for better handling of large project lists - Replaced package card grid with sortable data table on Project page for consistency