diff --git a/.gitlab/merge_request_templates/new_feature.md b/.gitlab/merge_request_templates/new_feature.md index 74abae94c94dc0768bb5c51fe51ad253fce113fe..491b7f98ded7e0da03d18c95978eafcb7d86619f 100644 --- a/.gitlab/merge_request_templates/new_feature.md +++ b/.gitlab/merge_request_templates/new_feature.md @@ -8,8 +8,8 @@ Closes #999 ## Checklist * General: - * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced) - * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable) + * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced) + * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable) * Publicly usable: * [ ] untagged runners * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy` diff --git a/CHANGELOG.md b/CHANGELOG.md index 57a5d8a90deff76c9872e1b432d29770be1d680a..0495543f52c29962ea97c0fd2ead59a96f2f254c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,11 @@ -# [4.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/compare/4.2.0...4.3.0) (2025-01-29) +## [4.3.1](https://gitlab.com/to-be-continuous/maven/compare/4.3.0...4.3.1) (2025-01-31) + + +### Bug Fixes + +* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([88eb63d](https://gitlab.com/to-be-continuous/maven/commit/88eb63d5cfcf910eac98d2b0c5edbde72a6b5873)) + +# [4.3.0](https://gitlab.com/to-be-continuous/maven/compare/4.2.0...4.3.0) (2025-01-28) ### Features diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2831ae8d17d986ab3703d359dc3aa63616394d8f..e7882cc7a81c3ed890408da8dc2f432f1a5e97df 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -61,7 +61,7 @@ To contribute: 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template). 2. Make sure the issue has been reviewed and agreed. -3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation). +3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation). Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed. ### Git Commit Conventions diff --git a/README.md b/README.md index 57c6990fa133ffa792192d61d8be4e8ea7376b00..b240442c8bb671474a06f5018bc37c75b3a85c47 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ This project implements a GitLab CI/CD template to build, test and analyse your ## Usage -This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) -or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. +This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) +or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax. ### Use as a CI/CD component @@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`: ```yaml include: # 1: include the component - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.1 # 2: set/override component inputs inputs: # ⚠ this is only an example @@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`: include: # 1: include the template - project: 'to-be-continuous/maven' - ref: '4.3.0' + ref: '4.3.1' file: '/templates/gitlab-ci-maven.yml' variables: @@ -46,18 +46,28 @@ The Maven template uses some global configuration throughout all jobs. | Input / Variable | Description | Default value | | --------------------- |--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------| -| `image` / `MAVEN_IMAGE` | The Docker image used to run Maven <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/maven:latest` | +| `image` / `MAVEN_IMAGE` | The Docker image used to run Maven <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/maven:latest` <br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-MAVEN_IMAGE) | | `project-dir` / `MAVEN_PROJECT_DIR` | Maven projet root directory | `.` | | `cfg-dir` / `MAVEN_CFG_DIR` | The Maven configuration directory | `.m2` | | `settings-file` / `MAVEN_SETTINGS_FILE` | The Maven `settings.xml` file path | `${MAVEN_CFG_DIR}/settings.xml` | | `opts` / `MAVEN_OPTS` | [Global Maven options](http://maven.apache.org/configure.html#maven_opts-environment-variable) | `-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true` | | `cli-opts` / `MAVEN_CLI_OPTS` | Additional [Maven options](https://maven.apache.org/ref/3-LATEST/maven-embedder/cli.html) used on the command line | `--no-transfer-progress --batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true` | +### About `$MAVEN_IMAGE` + +Each job in the template will use the defined container image to provide the Maven and Java runtime to the job context. +That's why it is mandatory that you set the version of Maven as required by your project (e.g. `registry-1.docker.io/library/maven:3.9.9-eclipse-temurin-21` for Maven 3.9.9 on Eclipse Temurin JDK 21). + +#### Use of the Maven Wrapper + +Maven Wrapper - although very convenient for the developer to automatically download and use the required Maven version on each developer environment - is **not supported by this template**. +We consider reinstalling over and over again another version of Maven in every job would be dumb: better pull directly an image with the right version. + ### About `$MAVEN_CFG_DIR` This variable is used to define the Maven configuration directory. It is used to declare the cache policy and marked the `${MAVEN_CFG_DIR}/repository` directory as cached (not to download Maven dependencies over and over again). -If you have a good reason to do differently, you'll have to override the `MAVEN_CLI_OPTS` variable as well as the [`cache`](https://docs.gitlab.com/ee/ci/yaml/#cache) policy. +If you have a good reason to do differently, you'll have to override the `MAVEN_CLI_OPTS` variable as well as the [`cache`](https://docs.gitlab.com/ci/yaml/#cache) policy. ### About `$MAVEN_SETTINGS_FILE` @@ -66,7 +76,7 @@ If a file is found at the `$MAVEN_SETTINGS_FILE` location, the template automati Note that with this design you are free to either: 1. inline the `settings.xml` file into your repository source (:warning: make sure not to inline secrets but use the `${env.MY_PASSWORD}` replacement pattern instead and define the `MY_PASSWORD` variable as secret project variable), -2. or define the `settings.xml` content as a [file type project variable](https://docs.gitlab.com/ee/ci/variables/#use-file-type-cicd-variables). +2. or define the `settings.xml` content as a [file type project variable](https://docs.gitlab.com/ci/variables/#use-file-type-cicd-variables). ## Jobs @@ -88,7 +98,7 @@ It uses the following variable: With its default arguments, the GitLab CI template for Maven forces the use of [JaCoCo Maven Plugin](https://www.eclemma.org/jacoco/trunk/doc/maven.html) to compute code coverage during unit tests execution. -In addition it makes the necessary to [integrate code coverage stats into your GitLab project](https://docs.gitlab.com/ee/ci/testing/code_coverage.html#view-code-coverage-results-in-the-mr) (report badge and viewable coverage in merge requests). +In addition it makes the necessary to [integrate code coverage stats into your GitLab project](https://docs.gitlab.com/ci/testing/code_coverage/#view-coverage-results) (report badge and viewable coverage in merge requests). If you want to fix the JaCoCo plugin version or tweak the default configuration, you may have to configure the [JaCoCo Maven Plugin](https://www.eclemma.org/jacoco/trunk/doc/maven.html) in your `pom.xml`, but be aware of the @@ -98,7 +108,7 @@ following: unit tests (not necessarily with the expected configuration). If you really need to do so anyway, you'll have to override the `$MAVEN_BUILD_ARGS` variable to remove the explicit invocation to JaCoCo goals. * make sure the `report` goal computes a CSV report (that's default behavior), that is used by the Maven template to compute the global coverage stat, -* make sure the `report` goal computes an XML report (that's default behavior), that is required to support [GitLab code coverage intergation](https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization/jacoco.html). +* make sure the `report` goal computes an XML report (that's default behavior), that is required to support [GitLab code coverage intergation](https://docs.gitlab.com/ci/testing/code_coverage/jacoco/). More info: @@ -113,18 +123,18 @@ This job uses the following variables: | Input / Variable | Description | Default value | | ------------------------ | -------------------------------------- | ----------------- | | `sonar-host-url` / `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | -| :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/#using-a-token) (depends on your authentication method) | _none_ | -| :lock: `SONAR_LOGIN` | SonarQube [login](https://docs.sonarsource.com/sonarqube/latest/extension-guide/web-api/#http-basic-access) (depends on your authentication method) | _none_ | +| :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/#using-a-token) (depends on your authentication method) | _none_ | +| :lock: `SONAR_LOGIN` | SonarQube [login](https://docs.sonarsource.com/sonarqube-server/latest/extension-guide/web-api/#http-basic-access) (depends on your authentication method) | _none_ | | :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ | -| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | -| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) | +| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | +| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) | | `mvn-sonar-job-tags` / `MVN_SONAR_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | #### Recommended minimal configuration 1. set the `SONAR_HOST_URL` value either in your `.gitlab-ci.yml` file or as a project or group variable (:warning: setting it as a group variable will enable the SonarQube analysis for all the children projects), 2. define your SonarQube credentials (:lock: `SONAR_TOKEN` or `SONAR_LOGIN` & :lock: `SONAR_PASSWORD`) as project or group variables, -3. configure the project SonarQube settings in the `pom.xml` file (:warning: the [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#configuring-analysis) completely ignores the `sonar-project.properties` file): +3. configure the project SonarQube settings in the `pom.xml` file (:warning: the [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#configuring-analysis) completely ignores the `sonar-project.properties` file): ```xml <properties> <!-- the SonarQube project key --> @@ -133,9 +143,9 @@ This job uses the following variables: ... </properties> ``` - More info about [SonarQube settings](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#analyzing) + More info about [SonarQube settings](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#analyzing) -:warning: if using [SonarCloud](https://sonarcloud.io/) (a cloud-based SonarQube-as-a-Service), you'll have to define the additional `sonar.organization` property ([see mandatory-parameters](https://docs.sonarcloud.io/advanced-setup/analysis-parameters/#mandatory-parameters)). +:warning: if using [SonarCloud](https://docs.sonarsource.com/sonarqube-cloud/) (a cloud-based SonarQube-as-a-Service), you'll have to define the additional `sonar.organization` property ([see mandatory-parameters](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/#mandatory-parameters)). :information_source: As SonarCloud determined the `organization` and `projectKey` properties from the project's GitLab context when importing the project, you can reuse the predefined GitLab variables as follows in your `pom.xml`: ```xml @@ -148,13 +158,13 @@ This job uses the following variables: #### Automatic Branch Analysis & Merge Request Analysis -This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube/latest/devops-platform-integration/gitlab-integration/), which is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis +This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/introduction/), which is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis from GitLab's environment variables. :warning: This feature also depends on your SonarQube server version and license. If using Community Edition, you'll have to install the [sonarqube-community-branch-plugin](https://github.com/mc1arke/sonarqube-community-branch-plugin) to enable automatic Branch & Merge Request analysis (only works from SonarQube version 8). -:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default). +:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ci/yaml/workflow/#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default). #### Disable the job @@ -232,6 +242,7 @@ It is bound to the `test` stage, and uses the following variables: | Input / Variable | Description | Default value | | --------------------- | -------------------------------------- | ----------------- | | `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` | | `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` | | `mvn-sbom-job-tags` / `MVN_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | @@ -325,11 +336,11 @@ Your Maven repository may require authentication credentials to publish artifact You may handle them in the following ways: -1. define all required credentials as :lock: [project variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project), +1. define all required credentials as :lock: [project variables](https://docs.gitlab.com/ci/variables/#for-a-project), 2. make sure your `pom.xml` (or ancestor) [declares your `<repository>` and `<snapshotRepository>` with server **id**s in a `<distributionManagement>` section](https://maven.apache.org/pom.html#repository), 3. in your `${MAVEN_CFG_DIR}/settings.xml` file, [define the repository servers credentials in the `<servers>` section](https://maven.apache.org/settings.html#Servers) using the `${env.VARIABLE}` pattern—will be automatically evaluated and replaced by Maven. -**Example 1** — using the [GitLab Maven Repository](https://docs.gitlab.com/ee/user/packages/maven_repository/) +**Example 1** — using the [GitLab Maven Repository](https://docs.gitlab.com/user/packages/maven_repository/) `pom.xml`: @@ -354,7 +365,7 @@ You may handle them in the following ways: <settings> <servers> <!-- required when using GitLab's package registry to deploy --> - <!-- see: https://docs.gitlab.com/ee/user/packages/maven_repository/index.html#use-the-gitlab-endpoint-for-maven-packages --> + <!-- see: https://docs.gitlab.com/user/packages/maven_repository/index/#use-the-gitlab-endpoint-for-maven-packages --> <server> <id>gitlab-maven</id> <configuration> @@ -419,9 +430,9 @@ You can either use an `ssh` key or an authenticated and authorized Git user. ##### Using an SSH key -We recommend you to use a [project deploy key](https://docs.gitlab.com/ee/user/project/deploy_keys/#project-deploy-keys) with write access to your project. +We recommend you to use a [project deploy key](https://docs.gitlab.com/user/project/deploy_keys/#project-deploy-keys) with write access to your project. -The key should not have a passphrase (see [how to generate a new SSH key pair](https://docs.gitlab.com/ee/user/ssh.html#generate-an-ssh-key-pair)). +The key should not have a passphrase (see [how to generate a new SSH key pair](https://docs.gitlab.com/user/ssh/#generate-an-ssh-key-pair)). Specify :lock: `$GIT_PRIVATE_KEY` as protected project variable with the private part of the deploy key. @@ -543,9 +554,9 @@ All authentication methods should use masked GitLab environment variables. ```yaml include: # main template - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.1 # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.1 ``` ## Variants @@ -566,7 +577,7 @@ In order to be able to communicate with the Vault server, the variant requires t | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ | -By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. +By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. #### Usage @@ -588,9 +599,9 @@ With: ```yaml include: # main template - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.1 # Vault variant - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.1 variables: # Vault configuration diff --git a/kicker.json b/kicker.json index f82cb7da42921fabe10f48e7023fe46a670406d4..dd0167af60e95f3a63a295e1c8fff6f96f076ef6 100644 --- a/kicker.json +++ b/kicker.json @@ -171,6 +171,14 @@ "description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)", "disable_with": "MAVEN_SBOM_DISABLED", "variables": [ + { + "name": "TBC_SBOM_MODE", + "type": "enum", + "values": ["onrelease", "always"], + "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)", + "advanced": true, + "default": "onrelease" + }, { "name": "MAVEN_SBOM_GEN_ARGS", "description": "Maven command used for SBOM analysis", diff --git a/templates/gitlab-ci-maven-vault.yml b/templates/gitlab-ci-maven-vault.yml index 9584991a908d6448de10f27dc15f39ad5dd288c9..1f6c52d6218a64d1cc076fc6f2bdd19d9c489601 100644 --- a/templates/gitlab-ci-maven-vault.yml +++ b/templates/gitlab-ci-maven-vault.yml @@ -22,7 +22,7 @@ variables: .mvn-base: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "maven", "4.3.0"] + command: ["--service", "maven", "4.3.1"] - name: "$TBC_VAULT_IMAGE" alias: "vault-secrets-provider" variables: diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml index a1d11fa0b8e0abe8c26a1a38e5fb5312307dd1a4..eccde4debbafc5bf338cc5130eab0cbf08565f4a 100644 --- a/templates/gitlab-ci-maven.yml +++ b/templates/gitlab-ci-maven.yml @@ -208,7 +208,18 @@ workflow: # else (Ready MR): auto & failing - when: on_success +# software delivery job prototype: run on production and integration branches + release pipelines +.delivery-policy: + rules: + # on tag with release pattern + - if: '$CI_COMMIT_TAG =~ $RELEASE_REF' + # on production or integration branch(es) + - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF' + variables: + # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs) + TBC_SBOM_MODE: "onrelease" + # Default Maven project root directory MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]] # Maven image (can be overridden) @@ -635,7 +646,7 @@ stages: image: $MAVEN_IMAGE services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "maven", "4.3.0"] + command: ["--service", "maven", "4.3.1"] before_script: - !reference [.mvn-scripts] - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}" @@ -774,7 +785,13 @@ mvn-sbom: # exclude if disabled - if: '$MAVEN_SBOM_DISABLED == "true"' when: never - - !reference [.test-policy, rules] + # 'always' mode: run + - if: '$TBC_SBOM_MODE == "always"' + # exclude unsupported modes + - if: '$TBC_SBOM_MODE != "onrelease"' + when: never + # 'onrelease' mode: use common software delivery rules + - !reference [.delivery-policy, rules] tags: $[[ inputs.mvn-sbom-job-tags ]] mvn-deploy-snapshot: