Add SBOM generation and atomic Helm deployments

- Add SBOM job using Syft to generate SPDX and CycloneDX formats - Add --atomic flag to Helm deployments for auto-rollback on failure - Add gitleaks fingerprints for additional false positives
2026-01-15 19:15:01 +00:00
parent 8c0327d2d2
commit 9742f15c03
3 changed files with 26 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -110,6 +110,26 @@ integration_test_feature:
    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
      when: on_success
 # Generate Software Bill of Materials (SBOM)
 sbom:
  stage: build
  needs: [build_image]
  image: deps.global.bsf.tools/docker/anchore/syft:latest
  timeout: 10m
  variables:
    IMAGE_NAME: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp:git.linux-amd64-$CI_COMMIT_SHA
  script:
    - echo "Generating SBOM for $IMAGE_NAME"
    - syft $IMAGE_NAME -o spdx-json=sbom-spdx.json -o cyclonedx-json=sbom-cyclonedx.json
    - echo "SBOM generation complete"
    - echo "SPDX format:" && head -50 sbom-spdx.json
  artifacts:
    when: always
    expire_in: 1 year
    paths:
      - sbom-spdx.json
      - sbom-cyclonedx.json
 # Run Python backend tests
 python_tests:
  stage: test
@@ -245,6 +265,7 @@ deploy_stage:
        -f $VALUES_FILE \
        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
        --wait \
        --atomic \
        --timeout 5m
    - kubectl rollout status deployment/orchard-stage-server -n $NAMESPACE --timeout=5m
    - *verify_deployment
@@ -280,6 +301,7 @@ deploy_feature:
        --set minioIngress.host=minio-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
        --set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \
        --wait \
        --atomic \
        --timeout 5m
    - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG-server -n $NAMESPACE --timeout=5m
    - export BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools"
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -9,3 +9,5 @@
 bccbc71c13570d14b8b26a11335c45f102fe3072:backend/tests/unit/test_storage.py:generic-api-key:381
 5c9da9003b844a2d655cce74a7c82c57e74f27c4:backend/tests/unit/test_storage.py:generic-api-key:381
 90bb2a3a393d2361dc3136ee8d761debb0726d8a:backend/tests/unit/test_storage.py:generic-api-key:381
 37666e41a72d2a4f34447c0d1a8728e1d7271d24:backend/tests/unit/test_storage.py:generic-api-key:381
 0cc4f253621a9601c5193f6ae1e7ae33f0e7fc9b:backend/tests/unit/test_storage.py:generic-api-key:381
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - Added SBOM (Software Bill of Materials) generation in CI pipeline using Syft (SPDX and CycloneDX formats)
 - Added GitLab CI pipeline for feature branch deployments to dev namespace (#51)
 - Added `deploy_feature` job with dynamic hostnames and unique release names (#51)
 - Added `cleanup_feature` job with `on_stop` for automatic cleanup on merge (#51)
@@ -16,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added internal proxy configuration for npm, pip, helm, and apt (#51)
 ### Changed
 - Added `--atomic` flag to Helm deployments for automatic rollback on failure
 - Adjusted dark mode color palette to use lighter background tones for better readability and reduced eye strain (#52)
 - Replaced project card grid with sortable data table on Home page for better handling of large project lists
 - Replaced package card grid with sortable data table on Project page for consistency