Merge branch '35-generate-and-upload-sbom-on-release' into 'main'

Resolve "generate and upload sbom on release"

Closes #35

See merge request !23

.gitlab-ci.yml

@@ -7,16 +7,18 @@ workflow:
   rules:
     - if: $CI_MERGE_REQUEST_IID
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
 
 stages:
   - test
   - release
   - build
+  - deploy
 
 variables:
   harbor_registry: "harbor.gwdg.de"
   harbor_repo: "sub-fe"
-
+  project_name: "repdav"
 
 lint dockerfile:
   stage: test
@@ -40,7 +42,7 @@ lint dockerfile:
 
 release:
   stage: release
-  image: docker.io/node:16.14
+  image: docker.io/node:18.12
   before_script:
     - npm ci --unsafe-perm
   script:
@@ -66,8 +68,49 @@ build container image:
       --build-arg build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
       --build-arg vcs_ref=${CI_COMMIT_SHORT_SHA}
       --build-arg version=${version}
-      --destination $CI_REGISTRY_IMAGE/repdav:$version
-      --destination $harbor_registry/$harbor_repo/repdav:$version
+      --destination $CI_REGISTRY_IMAGE/$project_name:$version
+      --destination $harbor_registry/$harbor_repo/$project_name:$version
   rules:
+    # prevent job creation on release commits to $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE =~ /^chore\(release\):/
+      when: never
     - if: $CI_MERGE_REQUEST_IID
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+
+generate app sbom:
+  stage: deploy
+  image: docker.io/node:18.12
+  before_script:
+    - npm ci --ignore-scripts
+    - npm run build
+  script:
+    - npx cdxgen
+      --type nodejs
+      --required-only
+      --server-url https://deps.sub.uni-goettingen.de
+      --api-key ${DEPS_UPLOAD_TOKEN}
+      --project-name ${project_name}
+      --project-version ${CI_COMMIT_TAG}
+  rules:
+    - if: $CI_COMMIT_TAG
+
+generate container sbom:
+  stage: deploy
+  image: docker.io/alpine:3.16
+  before_script:
+    - apk add curl
+    - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+  script:
+    - syft --output cyclonedx-json --file bom.json
+      $CI_REGISTRY_IMAGE/${project_name}:${CI_COMMIT_TAG}
+    - 'curl -X POST "https://deps.sub.uni-goettingen.de/api/v1/bom"
+      --header "accept: application/json"
+      --header "X-Api-Key: ${DEPS_UPLOAD_TOKEN}"
+      --header "Content-Type: multipart/form-data"
+      --form "autoCreate=true"
+      --form "projectName=${project_name}-container"
+      --form "projectVersion=${CI_COMMIT_TAG}"
+      --form "bom=@bom.json"'
+  rules:
+    - if: $CI_COMMIT_TAG

package.json

@@ -2,10 +2,11 @@
   "name": "repdav",
   "private": true,
   "devDependencies": {
-    "@semantic-release/changelog": "^6.0.1",
+    "@appthreat/cdxgen": "^6.0.0",
+    "@semantic-release/changelog": "^6.0.2",
     "@semantic-release/git": "^10.0.1",
-    "@semantic-release/gitlab": "^7.0.4",
-    "semantic-release": "^19.0.2"
+    "@semantic-release/gitlab": "^9.5.1",
+    "semantic-release": "^19.0.5"
   },
   "release": {
     "branches": [
@@ -38,7 +39,8 @@
         {
           "assets": [
             "CHANGELOG.md"
-          ]
+          ],
+          "message": "chore(release): ${nextRelease.version}\n\n${nextRelease.notes}"
         }
       ]
     ]