coulomb/activity-core
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix repo_sbom_status resolver — close ADHOC-2026-06-01-T01

Browse Source 
The state-hub resolver was calling GET /sbom/status?repo={slug}, which State
Hub does not expose. Real SBOM routes are /sbom/, /sbom/{slug},
/sbom/snapshots/, /sbom/snapshots/{id}, /sbom/ingest/, /sbom/report/licences/.
The weekly-sbom-staleness ActivityDefinition was passing params {repos: all}
and the resolver was reading params.get("repo_slug", ""), so the URL
collapsed to /sbom/status?repo= and 404'd. _fetch_json swallowed the error,
the rule context.repos.sbom_age_days > 30 evaluated against {} and never
matched, and the weekly SBOM check has been a silent no-op for as long as
the route mismatch has existed.

Resolver now supports two modes selected by params:
- single-repo: {repo_slug: foo} → GET /sbom/{foo}, returns
  {repo_slug, last_sbom_at, sbom_age_days, has_sbom}
- bulk: {repos: all} → GET /repos/, computes per-repo age, returns the
  worst repo's fields hoisted to the top of the result alongside
  stale_count, total_count, worst_* fields, and the full per-repo list

Never-scanned repos get a 99999 sentinel age so threshold rules treat
them as very stale without forcing the rule to special-case None.

Hoisting the worst entry to the top preserves the existing rule
expression context.repos.sbom_age_days > 30 (and target_repo:
context.repos.repo_slug, though that field is a separate interpolation
gap tracked as ADHOC-2026-06-01-T02). The integration tests'
aspirational per-repo iteration model is left intact.

Live validation against State Hub on 2026-06-01:
- single: activity-core → 36 days since 2026-04-26 ingest
- bulk: 48 repos total, 46 stale (>30d), worst is info-tech-canon (never
  scanned), rule expression evaluates True

Tests: 120 passed, 1 skipped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-02 03:31:56 +02:00
parent 5d3fb33c6b
commit a8d3cc2782
4 changed files with 270 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
activity-definitions/weekly-sbom-staleness.md
View File

@@ -16,6 +16,9 @@ context_sources:
params:
repos: all
bind_to: context.repos
# Resolver returns a summary keyed off the worst repo so the rule expression
# below can match without comprehensions (the sandboxed evaluator does not
# support them). See _repo_sbom_status in context_resolvers/state_hub.py.
---
# Weekly SBOM Staleness Check
@@ -32,3 +35,14 @@ action:
priority: medium
labels: ["sbom", "security", "automated"]
```
NOTE: in the production bulk-mode resolver path the condition matches against
the **worst** repo's age (the resolver hoists the worst entry's
`sbom_age_days`, `repo_slug`, `last_sbom_at`, `has_sbom` to the top of
`context.repos` alongside the per-repo list and summary counts). The rule
therefore fires at most once per workflow run, not once per stale repo. The
aspirational per-stale-repo task fan-out is exercised by the integration
tests' simulated pipeline but is not delivered by the current workflow —
landing it requires (a) per-iteration context binding in the workflow and
(b) `context.*` interpolation in rule action fields. Both are tracked as
`ADHOC-2026-06-01-T02`.