Description
- Attach CycloneDX or SPDX on releases.
Requirements and context
- Must be secure, tested, and documented for production operation.
- Should be efficient, observable, and easy to review in PRs.
- Scope is Predictify backend / off-chain services only (no Soroban contract changes, no frontend UI in this issue).
Suggested execution
- Fork the repository and create a branch:
git checkout -b feature/sbom-ci
- Implement changes:
- Service / module: implement in
.github/workflows/sbom.yml and related packages as needed.
- Tests: add or extend
CI validation only (unit + integration where applicable).
- Documentation: update or add
docs/backend/SUPPLY_CHAIN.md (architecture notes, OpenAPI, or runbooks).
- Comments & types: document public APIs, config knobs, and failure modes clearly.
Primary touchpoints: .github/workflows/sbom.yml
Test and commit
- Run the project test command (e.g.
pytest, cargo test, or npm test — follow repo conventions).
- Cover edge cases listed in the description; add regression tests for any bug found.
- In the PR, include summarized test output and security / ops notes (authn/z, data handling, rate limits).
Example commit message
ci(security): generate backend sbom
Guidelines
- Target ≥ 95% coverage on new or materially changed modules (per language/tooling configured in CI).
- Documentation must allow a new engineer to operate and verify the feature locally.
- Timeframe: 96 hours from assignment.
Description
Requirements and context
Suggested execution
git checkout -b feature/sbom-ci.github/workflows/sbom.ymland related packages as needed.CI validation only(unit + integration where applicable).docs/backend/SUPPLY_CHAIN.md(architecture notes, OpenAPI, or runbooks).Primary touchpoints:
.github/workflows/sbom.ymlTest and commit
pytest,cargo test, ornpm test— follow repo conventions).Example commit message
Guidelines