diff --git a/README.md b/README.md
index 3186cfe998840bd846291ab214f45f480bf202c7..c484ef9893e15d1a8a65ff3f4856745cb2400f7d 100644
--- a/README.md
+++ b/README.md
@@ -228,6 +228,7 @@ It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- |
| `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` |
| `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
### `mvn-release` & `mvn-deploy-*` jobs
diff --git a/kicker.json b/kicker.json
index 3b35fe22e196e183707264d60baace708cb0b2a5..c901d78a0077a18c87667dcbb67d0eb835f79697 100644
--- a/kicker.json
+++ b/kicker.json
@@ -115,6 +115,14 @@
"description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)",
"disable_with": "MAVEN_SBOM_DISABLED",
"variables": [
+ {
+ "name": "TBC_SBOM_MODE",
+ "type": "enum",
+ "values": ["onrelease", "always"],
+ "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+ "advanced": true,
+ "default": "onrelease"
+ },
{
"name": "MAVEN_SBOM_GEN_ARGS",
"description": "Maven command used for SBOM analysis",
diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml
index 6ff9e23588d99f9cc1a47f6e10283486afc4c4c9..3f3ed0351549d9b3ea4e7c1b7a7d1c971992f172 100644
--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -173,7 +173,18 @@ workflow:
# else (Ready MR): auto & failing
- when: on_success
+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+ rules:
+ # on tag with release pattern
+ - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+ # on production or integration branch(es)
+ - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
variables:
+ # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+ TBC_SBOM_MODE: "onrelease"
+
# Default Maven project root directory
MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]]
# Maven image (can be overridden)
@@ -735,7 +746,13 @@ mvn-sbom:
# exclude if disabled
- if: '$MAVEN_SBOM_DISABLED == "true"'
when: never
- - !reference [.test-policy, rules]
+ # 'always' mode: run
+ - if: '$TBC_SBOM_MODE == "always"'
+ # exclude unsupported modes
+ - if: '$TBC_SBOM_MODE != "onrelease"'
+ when: never
+ # 'onrelease' mode: use common software delivery rules
+ - !reference [.delivery-policy, rules]
mvn-deploy-snapshot:
extends: .mvn-base