Add SBOM quality gate with PR reporting and regression detection#4
Merged
mrdavidlaing merged 2 commits intomainfrom Mar 17, 2026
Merged
Add SBOM quality gate with PR reporting and regression detection#4mrdavidlaing merged 2 commits intomainfrom
mrdavidlaing merged 2 commits intomainfrom
Conversation
mrdavidlaing
commented
Mar 17, 2026
…tection Split sbom-generate-upload.yml into three workflows: - sbom-generate.yml: generate, patch, and enrich SBOMs (PR + main) - sbom-quality-gate.yml: score with sbomqs, diff with sbomlyze, post PR comment, block merge on quality regression - sbom-upload.yml: upload enriched SBOMs to sbomify (main only) Quality gate uses Nix-packaged sbomqs/sbomlyze instead of curl installs, and runs on cheaper blacksmith-2vcpu runners. Scripts use awk instead of bc for portability. New TDD scripts (45 shellspec examples, all passing): - bin/patch-sbom-root: rewrite bombon root component metadata - bin/sbom-score: wraps sbomqs, outputs structured JSON - bin/sbom-compare: wraps sbomlyze diff with policy checking - bin/sbom-report: aggregates results into markdown, exits non-zero on quality regression Co-Authored-By: Yakoff (Claude) <noreply@anthropic.com>
- Extract Nix install + cache into shared .github/actions/setup-nix composite action - Use YAML anchors to share trigger paths between pull_request and push - Downgrade generate/upload runners to blacksmith-2vcpu-ubuntu-2404 - Put sbomqs/sbomlyze on PATH via GITHUB_PATH instead of --cmd flags - Rename artifact prefix from sbom-qg- to sbom-quality-gate- - Add comment explaining when score job is skipped (direct push to main) - Upgrade sticky-pull-request-comment v2 -> v3 - Rename sbom-upload.yml to sbom-upload-sbomify-com.yml - Remove PLACEHOLDER items from upload matrix (only list real component IDs) Co-Authored-By: Yakoff (Claude) <noreply@anthropic.com>
mrdavidlaing
force-pushed
the
quality-gate-workflow-and-scripts
branch
from
0c19650 to
37486b7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sbom-generate-upload.ymlinto three focused workflows: generate, quality gate, and uploadnix package sbomqs and sbomlyzeyak) instead of curl installsblacksmith-2vcpurunners; generate/upload stay onblacksmith-4vcpuTest plan
shellspecpasses (45 examples, 0 failures)sbom-generate.ymltriggers on PR and push to main.#sbomqsand.#sbomlyzebuild (depends on sibling yak)🤖 Generated with Claude Code