chore(ci): 외부 도구 버전 업그레이드 4계층 안전장치#175
Merged
Merged
Conversation
The scanner depends on cdxgen/trivy/syft/scanoss/unblob/cve-bin-tool/scancode, but their upgrade loop had gaps: Dependabot cannot see ARG/shell-pinned tools, and tests only checked that output was CycloneDX, so a bump could silently change specVersion, component counts, or fields. - Detect: Renovate customManagers track the tool ARGs (docker/Dockerfile) and the cdxgen image tags (source-detect.sh); scoped to custom.regex so it coexists with Dependabot. renovate.yml runs it (needs RENOVATE_TOKEN). - Regress: tests/test-snapshot.sh normalizes post-process output and diffs against committed goldens; wired into the ci.yml post-process job. UPDATE_SNAPSHOTS=1 regenerates after an intended change. - Single source: docker-publish.yml reads SYFT/TRIVY versions from the Dockerfile ARGs instead of duplicating literals. - Compat: upstream-compat.yml weekly scans representative examples with the latest cdxgen and opens a tracking issue if generation breaks. - Docs: dependency-upgrade-policy.md and a tool-upgrade checklist in release-guide.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
배경
BomLens는 cdxgen·trivy·syft·scanoss·unblob·cve-bin-tool·scancode 등의 조합이고 신규 버전을 따라가는 것이 기본 운영인데, 업그레이드 루프를 지켜 줄 안전장치가 비어 있었다. Dependabot은 ARG·셸 변수로 핀된 도구를 보지 못하고, 기존 테스트는 출력이 CycloneDX인지 정도만 확인해 specVersion·컴포넌트·필드 변화를 놓쳤다.
자세한 설계는
docs/internal/dependency-upgrade-policy.md를 참고.변경 내용 (4계층)
docker/Dockerfile의 도구 ARG와docker/lib/source-detect.sh의 cdxgen 태그를 추적해 bump PR을 연다.custom.regex로만 한정해 기존 Dependabot과 충돌하지 않는다. (renovate.json,.github/workflows/renovate.yml)tests/test-snapshot.sh가 후처리 출력을 정규화해 committed golden과 비교. 도구 bump가 출력에 주는 변화가 PR diff로 드러난다.ci.yml후처리 잡에 배선. (UPDATE_SNAPSHOTS=1로 갱신)docker-publish.yml이 SYFT/TRIVY 버전을 Dockerfile ARG에서 읽어 중복 제거.upstream-compat.yml이 주간으로 최신 cdxgen으로 대표 예제를 스캔하고, 깨지면 추적 이슈를 연다.dependency-upgrade-policy.md신설,release-guide.md에 도구 업그레이드 체크리스트 추가.검증
test-postprocess무손상renovate.jsonvalidator 통과, 신규 워크플로우 actionlint clean, 신규 스크립트 shellcheck clean머지 후 필요 작업
RENOVATE_TOKEN(PR 생성용 PAT) 등록 — 이미 등록 완료gh workflow run renovate.yml -f dryRun=true로 동작 확인