Skip to content

ci: attach SBOM (SPDX + CycloneDX) to every release#17

Merged
opensource-SantanderAI merged 1 commit into
mainfrom
security/sbom-per-release
Jul 10, 2026
Merged

ci: attach SBOM (SPDX + CycloneDX) to every release#17
opensource-SantanderAI merged 1 commit into
mainfrom
security/sbom-per-release

Conversation

@opensource-SantanderAI

Copy link
Copy Markdown
Contributor

Adds the same SHA-pinned sbom.yml already merged and verified in SantanderAI/gen-fraud-graph#28: on every published release it generates a Software Bill of Materials with syft (SPDX JSON + CycloneDX JSON) and attaches both as release assets; workflow_dispatch uploads them as workflow artifacts for verification. Least-privilege permissions (top-level none, contents: write at job level).

Same SHA-pinned sbom.yml already merged and verified in gen-fraud-graph:
on each published release it generates the SBOM with syft in both standard
formats and attaches them as release assets. Top-level permissions none,
contents: write only at job level.
@opensource-SantanderAI opensource-SantanderAI requested a review from a team as a code owner July 10, 2026 08:33
@opensource-SantanderAI opensource-SantanderAI merged commit 3478c19 into main Jul 10, 2026
11 checks passed
@opensource-SantanderAI opensource-SantanderAI deleted the security/sbom-per-release branch July 10, 2026 08:39
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant