diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index fff4c44a..5805445c 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1299,7 +1299,11 @@ jobs: else git add .coverage-baseline git commit -m "ci: update coverage baseline [skip ci]" - git push + # Non-blocking: branch-protection rulesets reject the bot push on + # repos with a protected development/main. Surface a warning instead + # of failing the whole workflow over an auto-committed convenience + # file. Tracked in ConductionNL/.github#61 (add bot as a bypass actor). + git push || echo "::warning::Could not push the updated coverage baseline — branch protection rejected the bot push (see ConductionNL/.github#61). Commit .coverage-baseline manually." fi report: @@ -1568,7 +1572,12 @@ jobs: - name: Generate npm SBOM if: ${{ inputs.enable-frontend }} - run: npx @cyclonedx/cyclonedx-npm --output-file bom-npm.cdx.json --spec-version 1.5 --omit dev + # --package-lock-only: build the SBOM from package-lock.json rather than + # `npm ls`. `npm ls` exits non-zero (ELSPROBLEMS) on benign tree quirks — + # peer/version mismatches in transitive deps, a hard dependency declared + # by a lib but deduped away, etc. — which has nothing to do with the SBOM. + # The lockfile is the deterministic source of truth for what gets installed. + run: npx @cyclonedx/cyclonedx-npm --package-lock-only --output-file bom-npm.cdx.json --spec-version 1.5 --omit dev - name: Merge PHP + npm SBOMs if: ${{ inputs.enable-frontend }}