fix(ci): test omit-optional flag to exclude LGPL optional deps from SBOM

joker23 · claude · joker23 · commit bbda5d9e2e81 · 2026-04-24T09:20:34.000-05:00
Point generate-sbom at the skz/ignore-optional branch of gh-actions which
adds --omit optional to cdxgen. This should exclude @img/sharp-libvips-*
(LGPL-3.0, optional deps of sharp via Next.js) from the SBOM.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
@@ -40,9 +40,10 @@ jobs:
           YARN_ENABLE_IMMUTABLE_INSTALLS: 'false'
 
       - name: Generate SBOM
-        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@8220ae5b6e56f7108d076da0e710dc4feca15101 # main
+        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@88b91f303c25af3a90c2f0a98dd75af64c3bb332 # skz/ignore-optional
         with:
           types: 'nodejs'
+          omit-optional: 'true'
 
   evaluate-policy:
     runs-on: ubuntu-latest
