Skip to content

ci: SBOM generation in releases #21

Description

@adamdaw

Generate a Software Bill of Materials (SBOM) and attach it to GitHub Releases.

Context

Supply-chain security best practice (OpenSSF). An SBOM in CycloneDX or SPDX format documents all dependencies embedded in the Docker image and release artifacts.

Acceptance Criteria

  • SBOM generated during release.yml workflow
  • Attached to GitHub Release as artifact
  • Covers: npm dependencies, pip dependencies, apt packages, vendored Lua filter

Reference: best.openssf.org, cyclonedx.org

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions