mirror of
https://github.com/mwisnowski/mtg_python_deckbuilder.git
synced 2026-04-05 12:47:17 +02:00
feat: add SBOM generation and build provenance attestation to release workflows (#69)
* feat: add SBOM generation and build provenance attestation to release workflows * docs: update release notes template with SBOM unreleased entry
This commit is contained in:
mwisnowski
GitHub
parent
6d1d5a1822
commit
75184a5967
5 changed files with 90 additions and 5 deletions
|
|
@ -8,7 +8,8 @@ This format follows Keep a Changelog principles and aims for Semantic Versioning
|
|||
- Link PRs/issues inline when helpful, e.g., (#123) or [#123]. Reference-style links at the bottom are encouraged for readability.
|
||||
|
||||
## [Unreleased]
|
||||
_No unreleased changes yet._
|
||||
### Added
|
||||
- **SBOM & supply chain provenance**: Every tagged release now attaches source SBOMs (SPDX + CycloneDX JSON) for Python dependencies and a CycloneDX container image SBOM to the GitHub Release assets. Build provenance attestations (SLSA-style) are published for the multi-arch Docker image via the GitHub Attestations API. `provenance: mode=max` is enabled on all arch builds.
|
||||
|
||||
## [4.5.2] - 2026-04-01
|
||||
### Added
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue