Add SBOM generation to CI/CD pipeline and releases

.github/aw/actions-lock.json

@@ -65,6 +65,11 @@
       "version": "v5",
       "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4"
     },
+    "anchore/sbom-action@v0.20.10": {
+      "repo": "anchore/sbom-action",
+      "version": "v0.20.10",
+      "sha": "fbfd9c6c189226748411491745178e0c2017392d"
+    },
     "astral-sh/setup-uv@v5": {
       "repo": "astral-sh/setup-uv",
       "version": "v5",

.github/workflows/release.md

@@ -37,6 +37,7 @@ jobs:
       attestations: write
     outputs:
       release_id: ${{ steps.get_release.outputs.release_id }}
+      release_tag: ${{ steps.get_release.outputs.release_tag }}
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -59,7 +60,58 @@ jobs:
           echo "Getting release ID for tag: $RELEASE_TAG"
           RELEASE_ID=$(gh release view "$RELEASE_TAG" --json databaseId --jq '.databaseId')
           echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT"
+          echo "release_tag=$RELEASE_TAG" >> "$GITHUB_OUTPUT"
           echo "✓ Release ID: $RELEASE_ID"
+          echo "✓ Release Tag: $RELEASE_TAG"
+  generate-sbom:
+    needs: ["release"]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Download Go modules
+        run: go mod download
+
+      - name: Generate SBOM (SPDX format)
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: sbom.spdx.json
+          output-file: sbom.spdx.json
+          format: spdx-json
+
+      - name: Generate SBOM (CycloneDX format)
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: sbom.cdx.json
+          output-file: sbom.cdx.json
+          format: cyclonedx-json
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-artifacts
+          path: |
+            sbom.spdx.json
+            sbom.cdx.json
+          retention-days: 90
+
+      - name: Attach SBOM to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ needs.release.outputs.release_tag }}
+        run: |
+          echo "Attaching SBOM files to release: $RELEASE_TAG"
+          gh release upload "$RELEASE_TAG" sbom.spdx.json sbom.cdx.json --clobber
+          echo "✓ SBOM files attached to release"
 steps:
   - name: Setup environment and fetch release data
     env:

.gitignore

@@ -61,6 +61,10 @@ logs/
 # Benchmark results
 bench_results.txt
 
+# SBOM files (generated by make sbom)
+sbom.spdx.json
+sbom.cdx.json
+
 node_modules/
 gh-aw-test/
 

Makefile

@@ -341,6 +341,24 @@ pull-main:
 release: pull-main build
 	@node scripts/changeset.js release
 
+# Generate Software Bill of Materials (SBOM)
+.PHONY: sbom
+sbom:
+	@if ! command -v syft >/dev/null 2>&1; then \
+		echo "Error: syft is not installed."; \
+		echo ""; \
+		echo "Install syft to generate SBOMs:"; \
+		echo "  curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin"; \
+		echo ""; \
+		echo "Or visit: https://github.com/anchore/syft#installation"; \
+		exit 1; \
+	fi
+	@echo "Generating SBOM in SPDX format..."
+	syft packages . -o spdx-json=sbom.spdx.json
+	@echo "Generating SBOM in CycloneDX format..."
+	syft packages . -o cyclonedx-json=sbom.cdx.json
+	@echo "✓ SBOM files generated: sbom.spdx.json, sbom.cdx.json"
+
 # Agent should run this task before finishing its turns
 .PHONY: agent-finish
 agent-finish: deps-dev fmt lint build test-all recompile dependabot generate-schema-docs generate-labs
@@ -387,4 +405,5 @@ help:
 	@echo "  agent-finish     - Complete validation sequence (build, test, recompile, fmt, lint)"
 	@echo "  version   - Preview next version from changesets"
 	@echo "  release   - Create release using changesets (depends on test)"
+	@echo "  sbom             - Generate SBOM in SPDX and CycloneDX formats (requires syft)"
 	@echo "  help             - Show this help message"

SECURITY.md

@@ -29,3 +29,37 @@ This information will help us triage your report more quickly.
 ## Policy
 
 See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms)
+
+## Software Bill of Materials (SBOM)
+
+We generate Software Bill of Materials (SBOM) for this project to provide complete visibility into the dependency tree, enabling compliance reporting, vulnerability tracking, and supply chain risk assessment.
+
+### SBOM Generation
+
+SBOMs are automatically generated on every release and attached to GitHub releases as downloadable assets.
+
+Both SPDX and CycloneDX formats are generated to ensure compatibility with different compliance and security tools.
+
+### Local SBOM Generation
+
+To generate an SBOM locally, first install [syft](https://github.com/anchore/syft):
+
+```bash
+# Install syft
+curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+# Generate SBOM
+make sbom
+```
+
+This produces two files:
+- `sbom.spdx.json` - SBOM in SPDX JSON format
+- `sbom.cdx.json` - SBOM in CycloneDX JSON format
+
+### SBOM Contents
+
+The generated SBOMs include:
+- All direct and transitive Go dependencies
+- Package versions and licenses
+- Package hashes for integrity verification
+- Dependency relationships

pkg/workflow/data/action_pins.json

@@ -65,6 +65,11 @@
       "version": "v5",
       "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4"
     },
+    "anchore/sbom-action@v0.20.10": {
+      "repo": "anchore/sbom-action",
+      "version": "v0.20.10",
+      "sha": "fbfd9c6c189226748411491745178e0c2017392d"
+    },
     "astral-sh/setup-uv@v5": {
       "repo": "astral-sh/setup-uv",
       "version": "v5",