Skip to content

release: SBOM + cosign release pipeline + supply-chain hardening#46

Merged
Setounkpe7 merged 14 commits into
mainfrom
dev
May 28, 2026
Merged

release: SBOM + cosign release pipeline + supply-chain hardening#46
Setounkpe7 merged 14 commits into
mainfrom
dev

Conversation

@Setounkpe7

@Setounkpe7 Setounkpe7 commented May 28, 2026

Copy link
Copy Markdown
Owner

Summary

Promotes the SBOM + cosign release pipeline and supply-chain hardening from dev to main. First merge fires release.yml which publishes a signed image to GHCR.

Includes:

  • security.yml — every third-party action SHA-pinned (26 refs).
  • release.yml — new post-merge workflow (publish to GHCR + cosign keyless OIDC signature + CycloneDX SBOM attestation + SLSA L2 build provenance + smoke verify).
  • docs/RELEASING.md — one-time GHCR setup, verification commands, rollback.
  • README.md — Gitleaks documented (Secret scanning subsection), refined cosign claim, new "Verifying a published image" section.
  • Hotfix: starlette 1.0.0 → 1.1.0 (CVE-2026-48710 BadHost).

Post-merge maintainer action required:
After the first release.yml run, the GHCR package must be made Public and granted Write access to this repository. Full procedure in docs/RELEASING.md.

Test plan

  • Verified on PR feat: SBOM + cosign release pipeline + supply-chain hardening #45 — all 11 security checks pass with SHA-pinned actions
  • actionlint passes on both workflows
  • pip-audit --strict clean after starlette bump
  • 366 pytest tests pass locally
  • release.yml fires and completes successfully on merge to main (smoke verify step proves the full chain)
  • GHCR one-time setup completed per docs/RELEASING.md
  • Railway production deploy succeeds on the new main HEAD

🤖 Generated with Claude Code

Setounkpe7 and others added 14 commits May 20, 2026 20:05
@Setounkpe7 @claude
fix(compose): make .env optional and document the seed step (#42)
adb35fd 
docker compose up --build used to fail right after git clone because
env_file pointed at a gitignored .env that doesn't exist on first run.
Switch to the long form with required: false so a missing .env is fine,
and add a `cp .env.example .env` line to the Quick Start for users who
want to populate ADMIN_API_KEY or GITHUB_TOKEN.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Setounkpe7 @claude
chore(docs): add CLAUDE.md with branching policy and graphify rules (#43
d06ef46 
)

Codifies the workflow contributors (human or agent) must follow:
- never commit directly on main or dev
- any task starts on a feat|fix|chore|docs|hotfix/* branch cut from dev
- flow is feat/* -> dev -> main

Also documents the graphify knowledge graph so Claude reads
graphify-out/GRAPH_REPORT.md before answering architecture questions.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Setounkpe7 @claude
docs(spec): design doc for SBOM + cosign release pipeline
6117406 
Closes the documented-but-not-implemented gap on cosign signing and SBOM
publishing. Bundles SHA-pinning of third-party actions in security.yml
and fixes the gitleaks omission in README's detailed security section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Setounkpe7
docs(plan): implementation plan for SBOM + cosign release pipeline
6bd940c 
12 tasks across two phases: Phase A on the feat branch (SHA-pinning,
release.yml build-out, doc updates), Phase B post-merge (GHCR setup,
end-to-end signature verification).

Refs spec docs/superpowers/specs/2026-05-28-sbom-cosign-design.md
@Setounkpe7
chore(ci): SHA-pin all third-party actions in security.yml
093f7d7 
Pins every external action by commit SHA with a # vX.Y.Z comment.
Closes the supply-chain gap where a compromised action maintainer could
retag a version (e.g. aquasecurity/trivy-action@master is mutable HEAD)
and inject malicious code into the signed image build.

Refs spec docs/superpowers/specs/2026-05-28-sbom-cosign-design.md
@Setounkpe7
ci(release): add release.yml skeleton (triggers, permissions, concurr…
2fef7ef 
…ency)
@Setounkpe7
ci(release): build and push image to GHCR by digest
25751cd
@Setounkpe7
ci(release): generate CycloneDX SBOM with Trivy and install cosign
aa1587c
@Setounkpe7
ci(release): sign image and attest SBOM with cosign keyless OIDC
f2acefe
@Setounkpe7
ci(release): add SLSA provenance attestation and smoke-verify the chain
dda3370
@Setounkpe7
docs(release): document GHCR setup, verification, and rollback proced…
e1f8bf5 
…ures
@Setounkpe7
docs(readme): document gitleaks, refine cosign claim, add Verifying s…
b83c75a 
…ection
@Setounkpe7
chore(deps): bump starlette 1.0.0 -> 1.1.0 to fix CVE-2026-48710
188ab75 
CVE-2026-48710 (GHSA-86qp-5c8j-p5mr / PYSEC-2026-161 / X41-2026-002):
"BadHost" — missing Host header validation in starlette poisons
request.url.path and can bypass path-based security checks. Disclosed
post-merge; pip-audit flagged it on the security gate for this PR.

Transitive dependency of fastapi 0.136.1. Bumped via:
  uv lock --upgrade-package starlette
  uv export --no-dev --no-emit-project --format requirements-txt \
    > requirements.lock

Verified locally:
  pip-audit --requirement requirements.lock --strict
    -> No known vulnerabilities found
  pytest tests/  -> 366 passed
@Setounkpe7
Merge pull request #45 from Setounkpe7/feat/release-workflow-sbom-cosign
ec31833 
feat: SBOM + cosign release pipeline + supply-chain hardening
@Setounkpe7 Setounkpe7 merged commit ff51baa into main May 28, 2026
17 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Setounkpe7