Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md # templates/gitlab-ci-node.yml

Merge remote-tracking branch 'upstream/master'
4328ad86 · Benguria Elguezabal, Gorka · 13141a75 · 0930ddd9 · 4328ad86 · 4328ad86
Commit 4328ad86 authored 1 month ago by Benguria Elguezabal, Gorka
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [4.2.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/node/compare/4.1.1...4.2.0) (2025-01-29)
+## [4.2.2](https://gitlab.com/to-be-continuous/node/compare/4.2.1...4.2.2) (2025-04-16)
+
+
+### Bug Fixes
+
+* **pnpm:** double dash not supported by pnpm ([776ddb5](https://gitlab.com/to-be-continuous/node/commit/776ddb5168174108f2d1c01a0bfaddd8e9e293d9))
+
+## [4.2.1](https://gitlab.com/to-be-continuous/node/compare/4.2.0...4.2.1) (2025-01-31)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([b61bdcd](https://gitlab.com/to-be-continuous/node/commit/b61bdcdc294567e78771e83fc2fceb122a3c16fe))
+
+# [4.2.0](https://gitlab.com/to-be-continuous/node/compare/4.1.1...4.2.0) (2025-01-27)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
--- a/kicker.json
+++ b/kicker.json
@@ -189,6 +189,14 @@
      "description": "This job generates a file listing all dependencies using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm)",
      "disable_with": "NODE_SBOM_DISABLED",
      "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
        {
          "name": "NODE_SBOM_VERSION",
          "description": "Version of the @cyclonedx/cyclonedx-npm used for SBOM analysis",

--- a/templates/gitlab-ci-node-vault.yml
+++ b/templates/gitlab-ci-node-vault.yml
@@ -22,7 +22,7 @@ variables:
 .node-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "node", "4.2.0"]
+      command: ["--service", "node", "4.2.2"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-node.yml
+++ b/templates/gitlab-ci-node.yml
@@ -193,7 +193,18 @@ workflow:
    # else (Ready MR): auto & failing
    - when: on_success

+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+  rules:
+    # on tag with release pattern
+    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+    # on production or integration branch(es)
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
 variables:
+  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+  TBC_SBOM_MODE: "onrelease"
+
  # Default docker image for Node
  NODE_IMAGE: $[[ inputs.image ]]
  # Default Node project root directory
@@ -633,7 +644,7 @@ stages:
  image: $NODE_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "node", "4.2.0"]
+      command: ["--service", "node", "4.2.2"]
  variables:
    # Yarn cache (better than --cache-folder option, deprecated)
    YARN_CACHE_FOLDER: "$CI_PROJECT_DIR/$NODE_PROJECT_DIR/.yarn"
@@ -715,8 +726,13 @@ node-lint:
        # generate eslint report for SonarQube
        # shellcheck disable=SC2086
        log_info "SonarQube detected: producing ESLint JSON report..."
+        if [ "$NODE_MANAGER" = "pnpm" ]
+        then
+          $NODE_MANAGER $NODE_LINT_ARGS --format=json --output-file=reports/node-lint.xslint.json || true
+        else
          $NODE_MANAGER $NODE_LINT_ARGS -- --format=json --output-file=reports/node-lint.xslint.json || true
        fi
+      fi
    # maybe add eslint-formatter-gitlab
    - |
      if ! $NODE_MANAGER list | grep eslint-formatter-gitlab > /dev/null
@@ -726,7 +742,13 @@ node-lint:
      fi
    # run ESLint with console output and GitLab report
    # shellcheck disable=SC2086
-    - ESLINT_CODE_QUALITY_REPORT=reports/node-lint.gitlab.json $NODE_MANAGER $NODE_LINT_ARGS -- --format=gitlab
+    - |
+      if [ "$NODE_MANAGER" = "pnpm" ]
+      then
+        ESLINT_CODE_QUALITY_REPORT=reports/node-lint.gitlab.json $NODE_MANAGER $NODE_LINT_ARGS --format=gitlab
+      else
+        ESLINT_CODE_QUALITY_REPORT=reports/node-lint.gitlab.json $NODE_MANAGER $NODE_LINT_ARGS -- --format=gitlab
+      fi
  artifacts:
    when: always # store artifact even if test Failed
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
@@ -869,7 +891,13 @@ node-sbom:
    # exclude if disabled
    - if: '$NODE_SBOM_DISABLED == "true"'
      when: never
-    - !reference [.test-policy, rules]
+    # 'always' mode: run
+    - if: '$TBC_SBOM_MODE == "always"'
+    # exclude unsupported modes
+    - if: '$TBC_SBOM_MODE != "onrelease"'
+      when: never
+    # 'onrelease' mode: use common software delivery rules
+    - !reference [.delivery-policy, rules]
  tags: $[[ inputs.node-sbom-job-tags ]]

 node-publish: