Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

chore(sbom): remove per-app SBOM workflow + checked-in SBOM (release-asset only)#86

Merged
rubenvdlinde merged 1 commit into
developmentfrom
chore/sbom-release-asset-cleanup
May 1, 2026
Merged

chore(sbom): remove per-app SBOM workflow + checked-in SBOM (release-asset only)#86
rubenvdlinde merged 1 commit into
developmentfrom
chore/sbom-release-asset-cleanup

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Per ConductionNL/.github#34 — central Quality workflow now publishes SBOMs as release assets only. Cleans up the per-app remnants. Stable client URL: https://github.com/ConductionNL/mydash/releases/latest/download/sbom.cdx.json

…asset only)

The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs
exclusively as release assets — see SECURITY.md "Software Bill of Materials".

This PR cleans up the per-app remnants:
- delete .github/workflows/sbom.yml (the central job replaces it)
- delete the checked-in sbom.cdx.json (release asset is the source of truth)
- gitignore SBOM files so future generations don't accidentally land in repo

Stable URL for clients:
  https://github.com/ConductionNL/mydash/releases/latest/download/sbom.cdx.json
@rubenvdlinde rubenvdlinde merged commit d297a94 into development May 1, 2026
13 of 18 checks passed
@rubenvdlinde rubenvdlinde deleted the chore/sbom-release-asset-cleanup branch May 1, 2026 11:48
@github-actions

github-actions Bot commented May 1, 2026

Copy link
Copy Markdown
Contributor

Quality Report — ConductionNL/mydash @ 65bb955

Check PHP Vue Security License Tests
lint
phpcs
phpmd
psalm
phpstan
phpmetrics
eslint
stylelint
composer ✅ 100/100
npm ❌ 1/498 denied
PHPUnit ⏭️
Newman ⏭️
Playwright ⏭️

❌ Denied npm licenses

Package Version License
apexcharts 5.10.6 Custom: https://apexcharts.com/media/apexcharts-logo.png

Quality workflow — 2026-05-01 11:49 UTC

Download the full PDF report from the workflow artifacts.

rubenvdlinde added a commit that referenced this pull request May 3, 2026
…asset only) (#86)

The central Quality workflow (ConductionNL/.github#34) now publishes SBOMs
exclusively as release assets — see SECURITY.md "Software Bill of Materials".

This PR cleans up the per-app remnants:
- delete .github/workflows/sbom.yml (the central job replaces it)
- delete the checked-in sbom.cdx.json (release asset is the source of truth)
- gitignore SBOM files so future generations don't accidentally land in repo

Stable URL for clients:
  https://github.com/ConductionNL/mydash/releases/latest/download/sbom.cdx.json

Co-authored-by: SBOM Cleanup <ops@conduction.nl>
rubenvdlinde added a commit that referenced this pull request May 3, 2026
…cloud sections

Cleans up the .gitignore around three problems:

- Duplicates: /node_modules/, /node_modules/*, node_modules/ all
  appearing — and likewise for /vendor/. Reduce to the canonical
  /node_modules/ + /vendor/ form.
- Missing entries that have actually bitten the repo:
  - /*.iml + *.Identifier (IntelliJ-derived editors)
  - /docusaurus/{node_modules,build,.docusaurus}/ (the docs build
    artifacts were only partially ignored)
  - /coverage-frontend/, /quality-reports/, /tests/.phpunit.cache,
    /.php-cs-fixer.cache (test/quality artifacts)
  - /custom_apps/, /config/ (when checked out inside a Nextcloud
    server tree — applies to the dev-docker setup)
  - .claude/worktrees/ (matches the workflow we converged on for
    parallel-agent work in this repo)
- Reorganise into clearly labelled sections (IDE, OS, Editor swap,
  Claude Code, Dependencies, Build artifacts, Documentation,
  Testing & Quality, PHP, Environment, Nextcloud, SBOM) so it's
  easier to scan and add to.

Preserves every entry the previous .gitignore actually used —
notably the SBOM ignores added by #86, the .env / .env.local
entries, and the editor swap files.

Builds on / supersedes the abandoned chore/19/harmonize-gitignore
branch which was based on a much older dev tip and would have
dropped the SBOM + env entries on merge.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant