Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(quality): SBOM via package-lock; non-blocking coverage-baseline push#62

Merged
rubenvdlinde merged 1 commit into
mainfrom
fix/sbom-pkglock-and-nonblocking-baseline-push
May 13, 2026
Merged

fix(quality): SBOM via package-lock; non-blocking coverage-baseline push#62
rubenvdlinde merged 1 commit into
mainfrom
fix/sbom-pkglock-and-nonblocking-baseline-push

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Two quality.yml jobs fail on repos that opt into the SBOM / coverage-guard features (e.g. ConductionNL/procest), even when every actual quality gate passed:

1. SBOMGenerate npm SBOM step

npx @cyclonedx/cyclonedx-npm … --omit dev invokes npm ls internally; npm ls exits ELSPROBLEMS on benign dependency-tree quirks (peer/version mismatches in transitive deps, a hard dependency declared by a lib but deduped away — e.g. @conduction/nextcloud-vue lists bootstrap-vue as a hard dependency, apexcharts/pinia come out "invalid" against its peer ranges, rehype-react wants @types/react). None of that affects the SBOM.

→ pass --package-lock-only so the SBOM is built from package-lock.json (the deterministic source of truth for what gets installed). A real fix, not --ignore-npm-errors. The underlying dep-declaration noise should still be cleaned up at the library level (separate.)

2. Update Coverage Baselinegit push

The job regenerates .coverage-baseline, commits it as github-actions[bot], and pushes — which the org branch-protection rulesets reject on repos with a protected development/main (GH013), failing the whole workflow.

→ make the git push non-blocking (log a ::warning:: instead of failing). The proper fix — adding the CI bot as a path-scoped ruleset bypass actor — is tracked in #61.

Surfaced while getting ConductionNL/procest's CI green.

- SBOM 'Generate npm SBOM' step ran 'npx @cyclonedx/cyclonedx-npm ...' which
  invokes 'npm ls' under the hood; that exits ELSPROBLEMS on benign dependency-
  tree quirks (peer/version mismatches in transitive deps, a hard dep declared
  by a lib but deduped away). Switch to --package-lock-only so the SBOM is built
  from package-lock.json (the deterministic source of truth) — a fix, not an
  --ignore-npm-errors. (The underlying dep-declaration noise — e.g. nc-vue
  listing bootstrap-vue as a hard dependency — should still be cleaned up at the
  library level.)
- update-baseline: 'git push' of the auto-committed .coverage-baseline is
  rejected by the org branch-protection rulesets (GH013) on repos with a
  protected development/main, failing the whole workflow. Make it non-blocking
  (warn instead of fail) until the bot is added as a ruleset bypass actor —
  tracked in #61.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant