Currently, all 1st party-maintained code in the All Scenarios OS project is automatically uploaded to Fossology at every commit on the main branch, in order to enable the audit team to constantly review it (see here).
However, also commits on development branches may need to be reviewed on Fossology in a separate “staging” area, f.e. when in a branch substantial portions of source code (or binary blobs) are going to be added or removed.
Since we cannot review every single development branch on Fossology, we should establish a policy for development branch names that should be scanned with fossology – a policy that can be automatically implemented through GL pipeline definitions, eg. via regex (in
.gitlab-ci.yaml you can use if clauses like
if: '$CI_COMMIT_BRANCH =~ /regex-expression/'). We could use a suffix or a prefix in branch name, or use slashed branch names (like
Any suggestion or feedback on that is welcome!