Extract SBOMs generation and upload to a separate reusable workflow

[ahmedxgouda]

Proposed change

Resolves #4819

Extracted SBOMs generation and upload to a separate reusable workflow

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Warning

Review limit reached

@ahmedxgouda, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 7 minutes and 13 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 56a4d9e7-8d63-4641-91cd-adf0c2b29ad8

📥 Commits

Reviewing files that changed from the base of the PR and between 9627040 and 27998fe.

📒 Files selected for processing (4)

• .github/workflows/run-ci-cd.yaml
• .github/workflows/scan-images.yaml
• .github/workflows/upload-sboms.yaml
• cspell/custom-dict.txt

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Re-trigger cubic}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.77%. Comparing base (9627040) to head (27998fe).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           feature/ci-cd-optimization    #4827   +/-   ##
===========================================================
  Coverage                       98.77%   98.77%           
===========================================================
  Files                             538      538           
  Lines                           16987    16987           
  Branches                         2406     2406           
===========================================================
  Hits                            16779    16779           
  Misses                            119      119           
  Partials                           89       89           

Flag	Coverage Δ
backend	99.47% <ø> (ø)
frontend	96.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9627040...27998fe. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

3 issues found across 4 files

Confidence score: 3/5

• There is concrete CI/CD regression risk in .github/workflows/run-ci-cd.yaml: deploy is no longer gated on SBOM success, so releases can proceed even if SBOM generation/upload fails.
• .github/workflows/upload-sboms.yaml has a likely runtime failure path because release_tag is optional in the interface but required for production uploads, which can break the production SBOM step when omitted.
• Given the medium-high severities (7/10 and 6/10) with strong confidence, this is mergeable with caution but carries meaningful pipeline/compliance risk rather than just housekeeping changes.
• Pay close attention to .github/workflows/run-ci-cd.yaml and .github/workflows/upload-sboms.yaml - restore deploy gating on SBOM success, require/validate release_tag for production, and reduce staging job permissions to least privilege.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/upload-sboms.yaml">

<violation number="1" location=".github/workflows/upload-sboms.yaml:96">
P2: `release_tag` is optional, but production upload always requires it; this can make the production SBOM upload fail at runtime when the input is omitted.</violation>
</file>

<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:151">
P2: Staging SBOM upload job is over-privileged with `contents: write`; use read-only contents permission for least privilege.</violation>

<violation number="2" location=".github/workflows/run-ci-cd.yaml:265">
P1: Extracting SBOM upload into separate jobs removed deploy gating on SBOM success; deploy can proceed even when SBOM generation/upload fails.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P1: Extracting SBOM upload into separate jobs removed deploy gating on SBOM success; deploy can proceed even when SBOM generation/upload fails.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/run-ci-cd.yaml, line 265:

<comment>Extracting SBOM upload into separate jobs removed deploy gating on SBOM success; deploy can proceed even when SBOM generation/upload fails.</comment>

<file context>
@@ -236,16 +252,35 @@ jobs:
       frontend_ecr_repo: nest-production-frontend
+      release_version: ${{ needs.set-release-version.outputs.release_version }}
+
+  upload-production-sboms:
+    name: Upload Production SBOMs
+    if: |
</file context>

[cubic-dev-ai]

P2: release_tag is optional, but production upload always requires it; this can make the production SBOM upload fail at runtime when the input is omitted.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/upload-sboms.yaml, line 96:

<comment>`release_tag` is optional, but production upload always requires it; this can make the production SBOM upload fail at runtime when the input is omitted.</comment>

<file context>
@@ -0,0 +1,108 @@
+          RELEASE_VERSION: ${{ inputs.release_version }}
+          RELEASE_TAG: ${{ inputs.release_tag }}
+        run: |
+          gh release upload "$RELEASE_TAG" \
+            "backend-sbom-$RELEASE_VERSION.cdx.json" \
+            "frontend-sbom-$RELEASE_VERSION.cdx.json"
</file context>

[cubic-dev-ai]

P2: Staging SBOM upload job is over-privileged with contents: write; use read-only contents permission for least privilege.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/run-ci-cd.yaml, line 151:

<comment>Staging SBOM upload job is over-privileged with `contents: write`; use read-only contents permission for least privilege.</comment>

<file context>
@@ -142,6 +141,23 @@ jobs:
+      - set-release-version
+    permissions:
+      actions: write
+      contents: write
+    uses: ./.github/workflows/upload-sboms.yaml
+    with:
</file context>

[arkid15r]

It'll be addressed in #4845