Add SBOM generation and atomic Helm deployments

- Add SBOM job using Syft to generate SPDX and CycloneDX formats - Add --atomic flag to Helm deployments for auto-rollback on failure - Add gitleaks fingerprints for additional false positives
2026-01-15 19:15:01 +00:00
parent 8c0327d2d2
commit 9742f15c03
3 changed files with 26 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -110,6 +110,26 @@ integration_test_feature:
    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
      when: on_success

+# Generate Software Bill of Materials (SBOM)
+sbom:
+  stage: build
+  needs: [build_image]
+  image: deps.global.bsf.tools/docker/anchore/syft:latest
+  timeout: 10m
+  variables:
+    IMAGE_NAME: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp:git.linux-amd64-$CI_COMMIT_SHA
+  script:
+    - echo "Generating SBOM for $IMAGE_NAME"
+    - syft $IMAGE_NAME -o spdx-json=sbom-spdx.json -o cyclonedx-json=sbom-cyclonedx.json
+    - echo "SBOM generation complete"
+    - echo "SPDX format:" && head -50 sbom-spdx.json
+  artifacts:
+    when: always
+    expire_in: 1 year
+    paths:
+      - sbom-spdx.json
+      - sbom-cyclonedx.json
+
 # Run Python backend tests
 python_tests:
  stage: test
@@ -245,6 +265,7 @@ deploy_stage:
        -f $VALUES_FILE \
        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
        --wait \
+        --atomic \
        --timeout 5m
    - kubectl rollout status deployment/orchard-stage-server -n $NAMESPACE --timeout=5m
    - *verify_deployment
@@ -280,6 +301,7 @@ deploy_feature:
        --set minioIngress.host=minio-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
        --set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \
        --wait \
+        --atomic \
        --timeout 5m
    - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG-server -n $NAMESPACE --timeout=5m
    - export BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools"