to be continuous bot · to be continuous bot · Pierre Smeyers · semantic-release-bot · to be continuous bot · Girija Saint-Ange
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [4.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/compare/4.2.0...4.3.0) (2025-01-29)
+## [4.3.1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/compare/4.3.0...4.3.1) (2025-05-07)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([88eb63d](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/commit/88eb63d5cfcf910eac98d2b0c5edbde72a6b5873))
+
+## [4.3.1](https://gitlab.com/to-be-continuous/maven/compare/4.3.0...4.3.1) (2025-01-31)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([88eb63d](https://gitlab.com/to-be-continuous/maven/commit/88eb63d5cfcf910eac98d2b0c5edbde72a6b5873))
+
+# [4.3.0](https://gitlab.com/to-be-continuous/maven/compare/4.2.0...4.3.0) (2025-01-28)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
@@ -4,8 +4,8 @@ This project implements a GitLab CI/CD template to build, test and analyse your

 ## Usage

-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) 
-or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) 
+or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.

 ### Use as a CI/CD component

@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.1
    # 2: set/override component inputs
    inputs:
      # ⚠ this is only an example
@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/maven'
-    ref: '4.3.0'
+    ref: '4.3.1'
    file: '/templates/gitlab-ci-maven.yml'

 variables:
@@ -46,18 +46,28 @@ The Maven template uses some global configuration throughout all jobs.

 | Input / Variable                    | Description                                                                                                        | Default value |
 | --------------------- |--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
-| `image` / `MAVEN_IMAGE`             | The Docker image used to run Maven <br/>:warning: **set the version required by your project**                     | `registry.hub.docker.com/library/maven:latest` |
+| `image` / `MAVEN_IMAGE`             | The Docker image used to run Maven <br/>:warning: **set the version required by your project**                     | `registry.hub.docker.com/library/maven:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-MAVEN_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-MAVEN_IMAGE) |
 | `project-dir` / `MAVEN_PROJECT_DIR` | Maven projet root directory                                                                                        | `.` |
 | `cfg-dir` / `MAVEN_CFG_DIR`         | The Maven configuration directory                                                                                  | `.m2` |
 | `settings-file` / `MAVEN_SETTINGS_FILE` | The Maven `settings.xml` file path                                                                             | `${MAVEN_CFG_DIR}/settings.xml` |
 | `opts` / `MAVEN_OPTS`               | [Global Maven options](http://maven.apache.org/configure.html#maven_opts-environment-variable)                     | `-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true` |
 | `cli-opts` / `MAVEN_CLI_OPTS`       | Additional [Maven options](https://maven.apache.org/ref/3-LATEST/maven-embedder/cli.html) used on the command line | `--no-transfer-progress --batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true` |

+### About `$MAVEN_IMAGE`
+
+Each job in the template will use the defined container image to provide the Maven and Java runtime to the job context.
+That's why it is mandatory that you set the version of Maven as required by your project (e.g. `registry-1.docker.io/library/maven:3.9.9-eclipse-temurin-21` for Maven 3.9.9 on Eclipse Temurin JDK 21).
+
+#### Use of the Maven Wrapper
+
+Maven Wrapper - although very convenient for the developer to automatically download and use the required Maven version on each developer environment - is **not supported by this template**.
+We consider reinstalling over and over again another version of Maven in every job would be dumb: better pull directly an image with the right version.
+			
 ### About `$MAVEN_CFG_DIR`

 This variable is used to define the Maven configuration directory. It is used to declare the cache policy and marked the `${MAVEN_CFG_DIR}/repository` directory as cached (not to download Maven dependencies over and over again).

-If you have a good reason to do differently, you'll have to override the `MAVEN_CLI_OPTS` variable as well as the [`cache`](https://docs.gitlab.com/ee/ci/yaml/#cache) policy.
+If you have a good reason to do differently, you'll have to override the `MAVEN_CLI_OPTS` variable as well as the [`cache`](https://docs.gitlab.com/ci/yaml/#cache) policy.

 ### About `$MAVEN_SETTINGS_FILE`

@@ -66,7 +76,7 @@ If a file is found at the `$MAVEN_SETTINGS_FILE` location, the template automati
 Note that with this design you are free to either:

 1. inline the `settings.xml` file into your repository source (:warning: make sure not to inline secrets but use the `${env.MY_PASSWORD}` replacement pattern instead and define the `MY_PASSWORD` variable as secret project variable),
-2. or define the `settings.xml` content as a [file type project variable](https://docs.gitlab.com/ee/ci/variables/#use-file-type-cicd-variables).
+2. or define the `settings.xml` content as a [file type project variable](https://docs.gitlab.com/ci/variables/#use-file-type-cicd-variables).

 ## Jobs

@@ -88,7 +98,7 @@ It uses the following variable:
 With its default arguments, the GitLab CI template for Maven forces the use of [JaCoCo Maven Plugin](https://www.eclemma.org/jacoco/trunk/doc/maven.html)
 to compute code coverage during unit tests execution.

-In addition it makes the necessary to [integrate code coverage stats into your GitLab project](https://docs.gitlab.com/ee/ci/testing/code_coverage.html#view-code-coverage-results-in-the-mr) (report badge and viewable coverage in merge requests).
+In addition it makes the necessary to [integrate code coverage stats into your GitLab project](https://docs.gitlab.com/ci/testing/code_coverage/#view-coverage-results) (report badge and viewable coverage in merge requests).

 If you want to fix the JaCoCo plugin version or tweak the default configuration, you may have to configure the
 [JaCoCo Maven Plugin](https://www.eclemma.org/jacoco/trunk/doc/maven.html) in your `pom.xml`, but be aware of the
@@ -98,7 +108,7 @@ following:
  unit tests (not necessarily with the expected configuration). If you really need to do so anyway, you'll have to
  override the `$MAVEN_BUILD_ARGS` variable to remove the explicit invocation to JaCoCo goals.
 * make sure the `report` goal computes a CSV report (that's default behavior), that is used by the Maven template to compute the global coverage stat,
-* make sure the `report` goal computes an XML report (that's default behavior), that is required to support [GitLab code coverage intergation](https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization/jacoco.html).
+* make sure the `report` goal computes an XML report (that's default behavior), that is required to support [GitLab code coverage intergation](https://docs.gitlab.com/ci/testing/code_coverage/jacoco/).

 More info:

@@ -113,18 +123,18 @@ This job uses the following variables:
 | Input / Variable         | Description                            | Default value     |
 | ------------------------ | -------------------------------------- | ----------------- |
 | `sonar-host-url` / `SONAR_HOST_URL` | SonarQube server url                   | _none_ (disabled) |
-| :lock: `SONAR_TOKEN`     | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/#using-a-token) (depends on your authentication method) | _none_ |
-| :lock: `SONAR_LOGIN`     | SonarQube [login](https://docs.sonarsource.com/sonarqube/latest/extension-guide/web-api/#http-basic-access) (depends on your authentication method)                | _none_ |
+| :lock: `SONAR_TOKEN`     | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/#using-a-token) (depends on your authentication method) | _none_ |
+| :lock: `SONAR_LOGIN`     | SonarQube [login](https://docs.sonarsource.com/sonarqube-server/latest/extension-guide/web-api/#http-basic-access) (depends on your authentication method)                | _none_ |
 | :lock: `SONAR_PASSWORD`  | SonarQube password (depends on your authentication method)             | _none_ |
-| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
-| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) |
+| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
+| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) |
 | `mvn-sonar-job-tags` / `MVN_SONAR_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 #### Recommended minimal configuration

 1. set the `SONAR_HOST_URL` value either in your `.gitlab-ci.yml` file or as a project or group variable (:warning: setting it as a group variable will enable the SonarQube analysis for all the children projects),
 2. define your SonarQube credentials (:lock: `SONAR_TOKEN` or `SONAR_LOGIN` & :lock: `SONAR_PASSWORD`) as project or group variables,
-3. configure the project SonarQube settings in the `pom.xml` file (:warning: the [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#configuring-analysis) completely ignores the `sonar-project.properties` file):
+3. configure the project SonarQube settings in the `pom.xml` file (:warning: the [SonarScanner for Maven](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#configuring-analysis) completely ignores the `sonar-project.properties` file):
    ```xml
    <properties>
      <!-- the SonarQube project key -->
@@ -133,9 +143,9 @@ This job uses the following variables:
      ...
    </properties>
    ```
-    More info about [SonarQube settings](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#analyzing)
+    More info about [SonarQube settings](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/#analyzing)

-:warning: if using [SonarCloud](https://sonarcloud.io/) (a cloud-based SonarQube-as-a-Service), you'll have to define the additional `sonar.organization` property ([see mandatory-parameters](https://docs.sonarcloud.io/advanced-setup/analysis-parameters/#mandatory-parameters)).
+:warning: if using [SonarCloud](https://docs.sonarsource.com/sonarqube-cloud/) (a cloud-based SonarQube-as-a-Service), you'll have to define the additional `sonar.organization` property ([see mandatory-parameters](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/#mandatory-parameters)).

 :information_source: As SonarCloud determined the `organization` and `projectKey` properties from the project's GitLab context when importing the project, you can reuse the predefined GitLab variables as follows in your `pom.xml`:
 ```xml
@@ -148,13 +158,13 @@ This job uses the following variables:

 #### Automatic Branch Analysis & Merge Request Analysis

-This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube/latest/devops-platform-integration/gitlab-integration/), which is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis
+This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/introduction/), which is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis
 from GitLab's environment variables.

 :warning: This feature also depends on your SonarQube server version and license.
 If using Community Edition, you'll have to install the [sonarqube-community-branch-plugin](https://github.com/mc1arke/sonarqube-community-branch-plugin) to enable automatic Branch & Merge Request analysis (only works from SonarQube version 8).

-:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default).
+:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ci/yaml/workflow/#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default).

 #### Disable the job

@@ -232,6 +242,7 @@ It is bound to the `test` stage, and uses the following variables:
 | Input / Variable | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` |
 | `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
 | `mvn-sbom-job-tags` / `MVN_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

@@ -325,11 +336,11 @@ Your Maven repository may require authentication credentials to publish artifact

 You may handle them in the following ways:

-1. define all required credentials as :lock: [project variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project),
+1. define all required credentials as :lock: [project variables](https://docs.gitlab.com/ci/variables/#for-a-project),
 2. make sure your `pom.xml` (or ancestor) [declares your `<repository>` and `<snapshotRepository>` with server **id**s in a `<distributionManagement>` section](https://maven.apache.org/pom.html#repository),
 3. in your `${MAVEN_CFG_DIR}/settings.xml` file, [define the repository servers credentials in the `<servers>` section](https://maven.apache.org/settings.html#Servers) using the `${env.VARIABLE}` pattern—will be automatically evaluated and replaced by Maven.

-**Example 1** — using the [GitLab Maven Repository](https://docs.gitlab.com/ee/user/packages/maven_repository/)
+**Example 1** — using the [GitLab Maven Repository](https://docs.gitlab.com/user/packages/maven_repository/)

 `pom.xml`:

@@ -354,7 +365,7 @@ You may handle them in the following ways:
 <settings>
  <servers>
    <!-- required when using GitLab's package registry to deploy -->
-    <!-- see: https://docs.gitlab.com/ee/user/packages/maven_repository/index.html#use-the-gitlab-endpoint-for-maven-packages -->
+    <!-- see: https://docs.gitlab.com/user/packages/maven_repository/index/#use-the-gitlab-endpoint-for-maven-packages -->
    <server>
        <id>gitlab-maven</id>
        <configuration>
@@ -419,9 +430,9 @@ You can either use an `ssh` key or an authenticated and authorized Git user.

 ##### Using an SSH key

-We recommend you to use a [project deploy key](https://docs.gitlab.com/ee/user/project/deploy_keys/#project-deploy-keys) with write access to your project.
+We recommend you to use a [project deploy key](https://docs.gitlab.com/user/project/deploy_keys/#project-deploy-keys) with write access to your project.

-The key should not have a passphrase (see [how to generate a new SSH key pair](https://docs.gitlab.com/ee/user/ssh.html#generate-an-ssh-key-pair)).
+The key should not have a passphrase (see [how to generate a new SSH key pair](https://docs.gitlab.com/user/ssh/#generate-an-ssh-key-pair)).

 Specify :lock: `$GIT_PRIVATE_KEY` as protected project variable with the private part of the deploy key.

@@ -543,9 +554,9 @@ All authentication methods should use masked GitLab environment variables.
 ```yaml
 include:
  # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.1
  # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.1
 ```

 ## Variants
@@ -566,7 +577,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |

-By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

 #### Usage

@@ -588,9 +599,9 @@ With:
 ```yaml
 include:
  # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.1
  # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.1

 variables:
    # Vault configuration

--- a/kicker.json
+++ b/kicker.json
@@ -171,6 +171,14 @@
      "description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)",
      "disable_with": "MAVEN_SBOM_DISABLED",
      "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
        {
          "name": "MAVEN_SBOM_GEN_ARGS",
          "description": "Maven command used for SBOM analysis",

--- a/templates/gitlab-ci-maven-vault.yml
+++ b/templates/gitlab-ci-maven-vault.yml
@@ -22,7 +22,7 @@ variables:
 .mvn-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "maven", "4.3.0"]
+      command: ["--service", "maven", "4.3.1"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -208,7 +208,18 @@ workflow:
    # else (Ready MR): auto & failing
    - when: on_success

+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+  rules:
+    # on tag with release pattern
+    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+    # on production or integration branch(es)
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
 variables:
+  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+  TBC_SBOM_MODE: "onrelease"
+
  # Default Maven project root directory
  MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]]
  # Maven image (can be overridden)
@@ -635,7 +646,7 @@ stages:
  image: $MAVEN_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "maven", "4.3.0"]
+      command: ["--service", "maven", "4.3.1"]
  before_script:
    - !reference [.mvn-scripts]
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
@@ -774,7 +785,13 @@ mvn-sbom:
    # exclude if disabled
    - if: '$MAVEN_SBOM_DISABLED == "true"'
      when: never
-    - !reference [.test-policy, rules]
+    # 'always' mode: run
+    - if: '$TBC_SBOM_MODE == "always"'
+    # exclude unsupported modes
+    - if: '$TBC_SBOM_MODE != "onrelease"'
+      when: never
+    # 'onrelease' mode: use common software delivery rules
+    - !reference [.delivery-policy, rules]
  tags: $[[ inputs.mvn-sbom-job-tags ]]

 mvn-deploy-snapshot: