Skip to content

feat: SBOM + cosign release pipeline + supply-chain hardening#45

Merged
Setounkpe7 merged 11 commits into
devfrom
feat/release-workflow-sbom-cosign
May 28, 2026
Merged

feat: SBOM + cosign release pipeline + supply-chain hardening#45
Setounkpe7 merged 11 commits into
devfrom
feat/release-workflow-sbom-cosign

Conversation

@Setounkpe7

@Setounkpe7 Setounkpe7 commented May 28, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a post-merge release pipeline that publishes the container image to GHCR, signs it with cosign keyless OIDC, attaches a CycloneDX SBOM attestation, and produces a SLSA L2 build provenance attestation. Also hardens security.yml by SHA-pinning every third-party action.

Spec: docs/superpowers/specs/2026-05-28-sbom-cosign-design.md
Plan: docs/superpowers/plans/2026-05-28-sbom-cosign-release-pipeline-plan.md

What's in this PR

  • security.yml — SHA-pinned every third-party action (26 references). Closes the supply-chain gap where aquasecurity/trivy-action@master was a mutable HEAD.
  • release.yml — new workflow that fires on push: main and workflow_dispatch. Strict permissions ({} default, escalated per-job for OIDC + GHCR). Single job owns the entire chain so one OIDC token frame covers every signing op.
  • CycloneDX SBOM generated with Trivy, attached as a signed in-toto attestation (cosign attest --type cyclonedx).
  • Image signature via cosign keyless OIDC (Sigstore Fulcio + Rekor).
  • SLSA L2 build provenance via actions/attest-build-provenance.
  • Smoke verify runs cosign verify + cosign verify-attestation on the published artefacts before the workflow exits.
  • docs/RELEASING.md — one-time GHCR setup, verification commands, rollback procedure.
  • README.md — adds Gitleaks (Secret scanning subsection), refines cosign claim, adds a "Verifying a published image" section.

Test plan

  • actionlint .github/workflows/security.yml exits 0
  • actionlint .github/workflows/release.yml exits 0
  • No @v* or @master references remain for third-party actions in security.yml
  • security.yml runs on this PR — all 9 jobs pass with the new pinned SHAs (must confirm before merging this PR)
  • After merge to dev, open dev → main PR; release.yml fires on merge to main
  • Post-merge maintainer steps in docs/RELEASING.md (one-time GHCR visibility + Actions access)

Notes

  • release.yml does NOT run on this PR (only push: main / workflow_dispatch).
  • One Phase B task is post-merge and requires browser UI clicks (GHCR package visibility) — see docs/RELEASING.md.

🤖 Generated with Claude Code

Setounkpe7 and others added 11 commits May 28, 2026 00:31
@Setounkpe7 @claude
docs(spec): design doc for SBOM + cosign release pipeline
6117406 
Closes the documented-but-not-implemented gap on cosign signing and SBOM
publishing. Bundles SHA-pinning of third-party actions in security.yml
and fixes the gitleaks omission in README's detailed security section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Setounkpe7
docs(plan): implementation plan for SBOM + cosign release pipeline
6bd940c 
12 tasks across two phases: Phase A on the feat branch (SHA-pinning,
release.yml build-out, doc updates), Phase B post-merge (GHCR setup,
end-to-end signature verification).

Refs spec docs/superpowers/specs/2026-05-28-sbom-cosign-design.md
@Setounkpe7
chore(ci): SHA-pin all third-party actions in security.yml
093f7d7 
Pins every external action by commit SHA with a # vX.Y.Z comment.
Closes the supply-chain gap where a compromised action maintainer could
retag a version (e.g. aquasecurity/trivy-action@master is mutable HEAD)
and inject malicious code into the signed image build.

Refs spec docs/superpowers/specs/2026-05-28-sbom-cosign-design.md
@Setounkpe7
ci(release): add release.yml skeleton (triggers, permissions, concurr…
2fef7ef 
…ency)
@Setounkpe7
ci(release): build and push image to GHCR by digest
25751cd
@Setounkpe7
ci(release): generate CycloneDX SBOM with Trivy and install cosign
aa1587c
@Setounkpe7
ci(release): sign image and attest SBOM with cosign keyless OIDC
f2acefe
@Setounkpe7
ci(release): add SLSA provenance attestation and smoke-verify the chain
dda3370
@Setounkpe7
docs(release): document GHCR setup, verification, and rollback proced…
e1f8bf5 
…ures
@Setounkpe7
docs(readme): document gitleaks, refine cosign claim, add Verifying s…
b83c75a 
…ection
@Setounkpe7
chore(deps): bump starlette 1.0.0 -> 1.1.0 to fix CVE-2026-48710
188ab75 
CVE-2026-48710 (GHSA-86qp-5c8j-p5mr / PYSEC-2026-161 / X41-2026-002):
"BadHost" — missing Host header validation in starlette poisons
request.url.path and can bypass path-based security checks. Disclosed
post-merge; pip-audit flagged it on the security gate for this PR.

Transitive dependency of fastapi 0.136.1. Bumped via:
  uv lock --upgrade-package starlette
  uv export --no-dev --no-emit-project --format requirements-txt \
    > requirements.lock

Verified locally:
  pip-audit --requirement requirements.lock --strict
    -> No known vulnerabilities found
  pytest tests/  -> 366 passed
@Setounkpe7 Setounkpe7 merged commit ec31833 into dev May 28, 2026
11 checks passed
@Setounkpe7 Setounkpe7 mentioned this pull request May 28, 2026
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Setounkpe7