ci(sbom): open PR for SBOM updates instead of pushing direct to protected branches#76
Merged
rubenvdlinde merged 1 commit intodevelopmentfrom May 1, 2026
Merged
Conversation
The Commit SBOM step ran a direct `git push` on every push trigger. On protected branches (main / development / beta) the org ruleset rejects unbypassed pushes, so the workflow failed with `GH013: Repository rule violations` — visible as the red `SBOM Generation & Validation` check on every release PR. Split the post-build step in two: - Unprotected branches (feature/**, bugfix/**, hotfix/**) keep the fast direct-commit path — no protection, no friction. - Protected branches use peter-evans/create-pull-request to open (or update) `chore/sbom-update-<branch>` with the regenerated `sbom.cdx.json`, base'd on the same branch. A reviewer merges as with any other PR, so the org ruleset's "1 review" requirement is honoured. - pull_request events skip the commit step entirely. The SBOM is already validated by the preceding scan steps; once the PR merges, this same workflow re-runs against the target branch and goes down one of the two paths above. Adds explicit job-level `permissions: contents: write, pull-requests: write` so the bot can write commits / open PRs without relying on whatever the repo's default permissions happen to be.
Contributor
Quality Report — ConductionNL/mydash @
|
| Check | PHP | Vue | Security | License | Tests |
|---|---|---|---|---|---|
| lint | ✅ | ||||
| phpcs | ❌ | ||||
| phpmd | ✅ | ||||
| psalm | ✅ | ||||
| phpstan | ✅ | ||||
| phpmetrics | ✅ | ||||
| eslint | ❌ | ||||
| stylelint | ✅ | ||||
| composer | ✅ | ✅ 100/100 | |||
| npm | ✅ | ✅ 342/342 | |||
| PHPUnit | ⏭️ | ||||
| Newman | ⏭️ | ||||
| Playwright | ⏭️ |
Quality workflow — 2026-05-01 07:23 UTC
Download the full PDF report from the workflow artifacts.
This was referenced May 1, 2026
rubenvdlinde
added a commit
that referenced
this pull request
May 3, 2026
The Commit SBOM step ran a direct `git push` on every push trigger. On protected branches (main / development / beta) the org ruleset rejects unbypassed pushes, so the workflow failed with `GH013: Repository rule violations` — visible as the red `SBOM Generation & Validation` check on every release PR. Split the post-build step in two: - Unprotected branches (feature/**, bugfix/**, hotfix/**) keep the fast direct-commit path — no protection, no friction. - Protected branches use peter-evans/create-pull-request to open (or update) `chore/sbom-update-<branch>` with the regenerated `sbom.cdx.json`, base'd on the same branch. A reviewer merges as with any other PR, so the org ruleset's "1 review" requirement is honoured. - pull_request events skip the commit step entirely. The SBOM is already validated by the preceding scan steps; once the PR merges, this same workflow re-runs against the target branch and goes down one of the two paths above. Adds explicit job-level `permissions: contents: write, pull-requests: write` so the bot can write commits / open PRs without relying on whatever the repo's default permissions happen to be.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Unblocks the third red check on PR #72 (release: development → beta): `SBOM Generation & Validation`.
The current `Commit SBOM` step does `git push` unconditionally on every push trigger. On main / development / beta the org ruleset rejects that push and the workflow fails with:
```
remote: error: GH013: Repository rule violations found for refs/heads/development.
error: failed to push some refs to 'https://github.com/ConductionNL/mydash'
##[error]Process completed with exit code 1.
```
(Source: PR #72's failing run, job `SBOM Generation & Validation` in run `25190361610`.)
What changed
Split the post-build step by event/branch type:
Also adds an explicit job-level `permissions:` block (`contents: write`, `pull-requests: write`) so the bot has the perms it needs without relying on the repo's default permission setting.
Test plan