This repository was archived by the owner on May 29, 2026. It is now read-only.
fix(quality): SBOM via package-lock; non-blocking coverage-baseline push#62
Merged
rubenvdlinde merged 1 commit intoMay 13, 2026
Merged
Conversation
- SBOM 'Generate npm SBOM' step ran 'npx @cyclonedx/cyclonedx-npm ...' which invokes 'npm ls' under the hood; that exits ELSPROBLEMS on benign dependency- tree quirks (peer/version mismatches in transitive deps, a hard dep declared by a lib but deduped away). Switch to --package-lock-only so the SBOM is built from package-lock.json (the deterministic source of truth) — a fix, not an --ignore-npm-errors. (The underlying dep-declaration noise — e.g. nc-vue listing bootstrap-vue as a hard dependency — should still be cleaned up at the library level.) - update-baseline: 'git push' of the auto-committed .coverage-baseline is rejected by the org branch-protection rulesets (GH013) on repos with a protected development/main, failing the whole workflow. Make it non-blocking (warn instead of fail) until the bot is added as a ruleset bypass actor — tracked in #61.
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two
quality.ymljobs fail on repos that opt into the SBOM / coverage-guard features (e.g.ConductionNL/procest), even when every actual quality gate passed:1.
SBOM—Generate npm SBOMstepnpx @cyclonedx/cyclonedx-npm … --omit devinvokesnpm lsinternally;npm lsexitsELSPROBLEMSon benign dependency-tree quirks (peer/version mismatches in transitive deps, a hard dependency declared by a lib but deduped away — e.g.@conduction/nextcloud-vuelistsbootstrap-vueas a harddependency,apexcharts/piniacome out "invalid" against its peer ranges,rehype-reactwants@types/react). None of that affects the SBOM.→ pass
--package-lock-onlyso the SBOM is built frompackage-lock.json(the deterministic source of truth for what gets installed). A real fix, not--ignore-npm-errors. The underlying dep-declaration noise should still be cleaned up at the library level (separate.)2.
Update Coverage Baseline—git pushThe job regenerates
.coverage-baseline, commits it asgithub-actions[bot], and pushes — which the org branch-protection rulesets reject on repos with a protecteddevelopment/main(GH013), failing the whole workflow.→ make the
git pushnon-blocking (log a::warning::instead of failing). The proper fix — adding the CI bot as a path-scoped ruleset bypass actor — is tracked in #61.Surfaced while getting
ConductionNL/procest's CI green.