Attach SBOM assets to releases

Author: Boyeep

.github/workflows/release.yml

@@ -63,6 +63,8 @@ jobs:
     outputs:
       backend-attestation-url: ${{ steps.attest-backend.outputs.attestation-url }}
       frontend-attestation-url: ${{ steps.attest-frontend.outputs.attestation-url }}
+      backend-digest: ${{ steps.push-backend.outputs.digest }}
+      frontend-digest: ${{ steps.push-frontend.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -152,17 +154,66 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: read
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Set lowercase owner
         id: vars
         run: echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
         shell: bash
 
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare release asset directory
+        run: mkdir -p dist/release-assets
+        shell: bash
+
+      - name: Generate source SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          path: .
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate backend image SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend@${{ needs.publish-images.outputs.backend-digest }}
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate frontend image SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend@${{ needs.publish-images.outputs.frontend-digest }}
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
       - name: Publish release
         uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           append_body: true
+          files: |
+            dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json
+            dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json
+            dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json
           body: |
             ## Published Images
 
@@ -173,3 +224,17 @@ jobs:
 
             - Backend image: ${{ needs.publish-images.outputs.backend-attestation-url }}
             - Frontend image: ${{ needs.publish-images.outputs.frontend-attestation-url }}
+
+            ## Attached SBOM Assets
+
+            - `repo-source-${{ github.ref_name }}.spdx.json`
+            - `backend-runner-${{ github.ref_name }}.spdx.json`
+            - `frontend-runner-${{ github.ref_name }}.spdx.json`
+
+            ## Verification
+
+            ```bash
+            docker login ghcr.io
+            gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ github.ref_name }} -R ${{ github.repository }}
+            gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ github.ref_name }} -R ${{ github.repository }}
+            ```

CONTRIBUTING.md

@@ -134,6 +134,7 @@ If you modify request or response shapes:
 6. Confirm the release smoke workflow passes against the published images, or dispatch it manually for a tag if you need to re-check a release.
 
 The release notes will also include links to the image provenance attestations generated during the publish workflow.
+The release itself will also carry attached SPDX SBOM files for the source tree and the published runner images.
 
 The component labels used by Release Drafter are synced from `.github/labels.json`, and most of the common ones are applied automatically from changed paths.
 

README.md

@@ -139,6 +139,7 @@ An SBOM workflow also publishes SPDX artifacts for the repository source plus th
 - Pushing a tag like `v0.1.0` triggers the release workflow.
 - That workflow verifies the tagged commit, publishes backend/frontend images to GHCR, and creates a GitHub Release with generated notes.
 - The release workflow also generates build-provenance attestations for the published GHCR images and links them from the release notes.
+- The GitHub Release also includes attached SPDX SBOM assets for the source tree and both runner images.
 - A follow-up smoke workflow pulls those published GHCR images and checks backend health, a real inference request, and the frontend shell before you treat the release as healthy.
 - Maintainers can re-run the same check manually with `BACKEND_IMAGE=... FRONTEND_IMAGE=... npm run check:release-smoke`.
 

SECURITY.md

@@ -36,6 +36,8 @@ The repository also uses automated scanning to help catch common security issues
 - GitHub SBOM artifacts for the repository source and runner images
 - GitHub build-provenance attestations for published release images
 
+Tagged releases also include attached SPDX SBOM files and release-note verification snippets for the published container images.
+
 Dependency review is also configured with an allowlist that matches the current dependency tree, so changes that introduce new license types are surfaced deliberately instead of silently drifting in.
 
 Those checks do not replace private disclosure. If you believe a vulnerability is real or

future-reference-feature.md

@@ -177,6 +177,7 @@ What it covers here:
 - tag-triggered release workflow
 - GHCR publishing
 - build-provenance attestations for published container images
+- attached SBOM release assets for published source and runtime artifacts
 - release smoke test against published images
 - synced repository labels
 
@@ -192,6 +193,7 @@ Generic takeaway:
 - if the repo is public and meant to last, release automation is worth it
 - release smoke tests are especially valuable because they test the thing users actually consume
 - provenance attestations strengthen trust in published artifacts without requiring manual signing steps
+- attaching SBOMs directly to releases makes supply-chain metadata easier for downstream users to consume
 
 ### 7. Repo Governance and Maintainer UX
 

template-playbook.md

@@ -53,6 +53,7 @@ If a template only has code and no repo workflow, it is usually still a prototyp
 - label sync
 - publish workflow
 - provenance attestations for published artifacts when possible
+- attach SBOMs to releases when you publish installable artifacts or images
 - release smoke test
 
 ### Repo Governance
@@ -161,6 +162,7 @@ If you want the version that scales better for open source or long-term reuse, a
 - dependency licenses should be reportable without manual digging
 - SBOMs should be generated for source trees or release artifacts when supply-chain visibility matters
 - published artifacts should have provenance attestations when the platform supports them
+- release notes should tell consumers how to verify what you published
 - release steps should be automated
 - docs should explain maintainer flow, not just user setup