Merge branch 'main' into dependabot/github_actions/actions/setup-node-6

Author: Boyeep

.github/workflows/release.yml

@@ -63,6 +63,8 @@ jobs:
     outputs:
       backend-attestation-url: ${{ steps.attest-backend.outputs.attestation-url }}
       frontend-attestation-url: ${{ steps.attest-frontend.outputs.attestation-url }}
+      backend-digest: ${{ steps.push-backend.outputs.digest }}
+      frontend-digest: ${{ steps.push-frontend.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -152,17 +154,66 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: read
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Set lowercase owner
         id: vars
         run: echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
         shell: bash
 
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare release asset directory
+        run: mkdir -p dist/release-assets
+        shell: bash
+
+      - name: Generate source SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          path: .
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate backend image SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend@${{ needs.publish-images.outputs.backend-digest }}
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate frontend image SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend@${{ needs.publish-images.outputs.frontend-digest }}
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
       - name: Publish release
         uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           append_body: true
+          files: |
+            dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json
+            dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json
+            dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json
           body: |
             ## Published Images
 
@@ -173,3 +224,17 @@ jobs:
 
             - Backend image: ${{ needs.publish-images.outputs.backend-attestation-url }}
             - Frontend image: ${{ needs.publish-images.outputs.frontend-attestation-url }}
+
+            ## Attached SBOM Assets
+
+            - `repo-source-${{ github.ref_name }}.spdx.json`
+            - `backend-runner-${{ github.ref_name }}.spdx.json`
+            - `frontend-runner-${{ github.ref_name }}.spdx.json`
+
+            ## Verification
+
+            ```bash
+            docker login ghcr.io
+            gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ github.ref_name }} -R ${{ github.repository }}
+            gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ github.ref_name }} -R ${{ github.repository }}
+            ```

CONTRIBUTING.md

@@ -134,6 +134,7 @@ If you modify request or response shapes:
 6. Confirm the release smoke workflow passes against the published images, or dispatch it manually for a tag if you need to re-check a release.
 
 The release notes will also include links to the image provenance attestations generated during the publish workflow.
+The release itself will also carry attached SPDX SBOM files for the source tree and the published runner images.
 
 The component labels used by Release Drafter are synced from `.github/labels.json`, and most of the common ones are applied automatically from changed paths.
 

README.md

@@ -139,6 +139,7 @@ An SBOM workflow also publishes SPDX artifacts for the repository source plus th
 - Pushing a tag like `v0.1.0` triggers the release workflow.
 - That workflow verifies the tagged commit, publishes backend/frontend images to GHCR, and creates a GitHub Release with generated notes.
 - The release workflow also generates build-provenance attestations for the published GHCR images and links them from the release notes.
+- The GitHub Release also includes attached SPDX SBOM assets for the source tree and both runner images.
 - A follow-up smoke workflow pulls those published GHCR images and checks backend health, a real inference request, and the frontend shell before you treat the release as healthy.
 - Maintainers can re-run the same check manually with `BACKEND_IMAGE=... FRONTEND_IMAGE=... npm run check:release-smoke`.
 

SECURITY.md

@@ -36,6 +36,8 @@ The repository also uses automated scanning to help catch common security issues
 - GitHub SBOM artifacts for the repository source and runner images
 - GitHub build-provenance attestations for published release images
 
+Tagged releases also include attached SPDX SBOM files and release-note verification snippets for the published container images.
+
 Dependency review is also configured with an allowlist that matches the current dependency tree, so changes that introduce new license types are surfaced deliberately instead of silently drifting in.
 
 Those checks do not replace private disclosure. If you believe a vulnerability is real or