Skip to content

ci: stamp SBOM creator and sign build provenance attestations#18

Merged
opensource-SantanderAI merged 1 commit into
mainfrom
security/sbom-provenance
Jul 10, 2026
Merged

ci: stamp SBOM creator and sign build provenance attestations#18
opensource-SantanderAI merged 1 commit into
mainfrom
security/sbom-provenance

Conversation

@opensource-SantanderAI

Copy link
Copy Markdown
Contributor

Same change already merged and verified live in SantanderAI/gen-fraud-graph#29: stamps Santander Group as SBOM document creator, signs both SBOM files with actions/attest-build-provenance (Sigstore — verifiable with gh attestation verify <file> -R SantanderAI/genetic-algorithm) and uploads release assets after stamping. Least-privilege job-level permissions.

Same sbom.yml v2 already merged and verified in gen-fraud-graph#29:
SPDX/CycloneDX creator stamped as Santander Group and both SBOM files
signed with actions/attest-build-provenance (Sigstore), verifiable via
'gh attestation verify'. Release assets uploaded after stamping.
@opensource-SantanderAI opensource-SantanderAI requested a review from a team as a code owner July 10, 2026 08:55
@opensource-SantanderAI opensource-SantanderAI merged commit e464f75 into main Jul 10, 2026
11 checks passed
@opensource-SantanderAI opensource-SantanderAI deleted the security/sbom-provenance branch July 10, 2026 09:07
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant