adityamparikh opened a new pull request, #142: URL: https://github.com/apache/solr-mcp/pull/142
## Summary - Applies the `org.cyclonedx.bom` Gradle plugin (2.4.1 — the version Spring Initializr ships for Spring Boot 3.5.14 when you select the `sbom-cyclone-dx` starter). Spring Boot's built-in `CycloneDxPluginAction` auto-configures the task and embeds the SBOM in the bootable JAR at `META-INF/sbom/application.cdx.json` — so the Jib JVM image and both Paketo native images carry the SBOM via bootJar packaging, no per-image wiring. - Enables `/actuator/sbom/application` explicitly in the HTTP profile (the endpoint was already in the exposure list). - `build-and-publish.yml` uploads the SBOM as a 30-day workflow artifact. - `release-publish.yml` removes the existing `|| echo "SBOM not configured"` fallback (which silently swallowed failures), uploads the SBOM as a 90-day workflow artifact, and attaches it to the matching GitHub Release when one exists (graceful skip otherwise, since the ASF release of record lives at dist.apache.org). - README documents location, retrieval (`curl /actuator/sbom/application`, `./gradlew cyclonedxBom`), and scanning with trivy/grype. - AGENTS.md (CLAUDE.md → AGENTS.md symlink) records the command and the bootJar → actuator → image flow for future contributors. Spec: `docs/superpowers/specs/2026-06-05-sbom-generation-design.md` Plan: `docs/superpowers/plans/2026-06-05-sbom-generation.md` ## Test plan - [x] `./gradlew build` is green - [x] `build/reports/application.cdx.json` produced (`bomFormat: CycloneDX`, `specVersion: 1.6`) - [x] SBOM is embedded in `build/libs/solr-mcp-1.0.0-SNAPSHOT.jar` at `META-INF/sbom/application.cdx.json` - [ ] CI green on this PR - [ ] Manual sanity-check post-merge: pull the resulting Jib image, `docker run -e PROFILES=http`, `curl http://localhost:8080/actuator/sbom/application` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
