Skip to content

feat(ci): add CycloneDX SBOM generation to project CI pipeline#1048

Merged
Soner (shyim) merged 5 commits into
nextfrom
claude/add-sbom-generator-ci-Pz3qq
May 22, 2026
Merged

feat(ci): add CycloneDX SBOM generation to project CI pipeline#1048
Soner (shyim) merged 5 commits into
nextfrom
claude/add-sbom-generator-ci-Pz3qq

Conversation

@shyim
Copy link
Copy Markdown
Member

@shyim Soner (shyim) commented May 22, 2026

Summary

  • Generate CycloneDX SBOM from composer.lock during shopware-cli project ci
  • Support configurable output path and dev dependency inclusion via .shopware-project.yml
  • Emit CycloneDX 1.7 format with proper application metadata and tool attribution
  • Add missing swx symlink to Arch Linux, Nix, NFPM, and Homebrew Cask packaging

Test plan

  • go test ./cmd/project/ -run TestGenerateProjectSBOM — verifies default output (excludes dev deps)
  • go test ./cmd/project/ -run TestGenerateProjectSBOMIncludeDev — verifies IncludeDev: true
  • go test ./cmd/project/ -run TestGenerateProjectSBOMSkipsWhenLockMissing — verifies graceful skip
  • go test ./internal/sbom/... — full CycloneDX generation coverage
  • go vet ./... — no new issues

Claude (claude) and others added 4 commits May 21, 2026 14:28
@claude
feat(project): add CycloneDX SBOM generation to project CI
baa8a76 
Generates a CycloneDX 1.5 JSON SBOM from composer.lock during
`shopware-cli project ci`. Output is opt-in via .shopware-project.yml:

    build:
      sbom:
        enabled: true
        path: sbom.cdx.json   # optional, default sbom.cdx.json
        include_dev: false    # optional

License identifiers are validated against the embedded SPDX database
so non-SPDX values (e.g. "proprietary") land in license.name rather
than license.id, per the CycloneDX spec.
@claude
feat(project): always generate SBOM in project CI
9de5fd3 
Drop the build.sbom.enabled opt-in flag; the SBOM is now produced
unconditionally during `shopware-cli project ci`. The step is a no-op
when composer.lock is absent, and path/include_dev remain configurable
under build.sbom.
@claude
feat(sbom): emit CycloneDX 1.7 instead of 1.5
2c8a782 
Bumps the spec version to the current CycloneDX release (1.7) and
migrates metadata.tools to the structured `{components: [...]}`
shape required by 1.6+; the legacy flat array form is no longer
emitted.
@shyim
fix(ci): simplify command path for PHP execution in CI
6b0e43a
@shyim Soner (shyim) changed the base branch from main to next May 22, 2026 03:40
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented May 22, 2026

💡 Codex Review

shopware-cli/cmd/project/ci.go

Lines 113 to 115 in 6b0e43a

composer.Cmd.Env = append(os.Environ(),
"COMPOSER_AUTH="+token,
)

P1 Badge Forward COMPOSER_AUTH through executor environment

This sets COMPOSER_AUTH on composer.Cmd.Env, which works for local execution but not for the Docker executor path introduced in this commit: DockerExecutor only forwards container env vars from its internal d.env map into docker compose exec -e ... (internal/executor/docker.go, baseArgs). As a result, project ci in environment.type: docker won't pass auth to Composer inside the container, so installs from private repositories can fail.

shopware-cli/cmd/project/project_worker.go

Line 107 in 6b0e43a

p.Cmd.Env = append(os.Environ(), fmt.Sprintf("MESSENGER_CONSUMER_NAME=%s-%d", baseName, index))

P2 Badge Pass messenger consumer name via executor WithEnv

In Docker mode this assigns MESSENGER_CONSUMER_NAME only to the host docker compose process, not to the process inside the container. The Docker executor injects container env via -e arguments from Executor.WithEnv(...), so workers started here can lose their per-worker consumer names and run with the same default name, which can cause consumer collisions when multiple workers are started.

shopware-cli/cmd/project/project_logs.go

Lines 149 to 155 in 6b0e43a

ring := make([]string, 0, n)
for scanner.Scan() {
if len(ring) < n {
ring = append(ring, scanner.Text())
} else {
copy(ring, ring[1:])
ring[n-1] = scanner.Text()

P2 Badge Guard against non-positive --lines in log tailing

This ring-buffer logic panics for invalid --lines values: n < 0 panics at make([]string, 0, n), and n == 0 reaches ring[n-1] (index -1) once at least one line is scanned. A user can trigger this with project logs --lines 0 (or negative), so the command should validate n > 0 before building/using the buffer.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

@shyim Soner (shyim) merged commit deec2aa into next May 22, 2026
2 checks passed
@shyim Soner (shyim) deleted the claude/add-sbom-generator-ci-Pz3qq branch May 22, 2026 03:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shyim @claude