CoderDeltaLAN · CoderDeltaLAN · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
       - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: docker/login-actionbdaa0721073962dff0199f1fb9940f@07167d1
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -24,7 +24,7 @@ jobs:
           tags: |
             type=raw,value=latest
             type=ref,event=tag
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-actiond21b8e681c14492fe198d362@a7d2c83
         with:
           context: .
           push: true

@@ -0,0 +1,37 @@
+name: release-sbom
+on:
+  release:
+    types: [published]
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: Generate SBOM (CycloneDX JSON)
+        uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: sbom-cyclonedx.json
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Sign SBOM (keyless OIDC)
+        run: |
+          cosign sign-blob --yes \
+            --output-signature sbom-cyclonedx.json.sig \
+            --output-certificate sbom-cyclonedx.json.crt \
+            sbom-cyclonedx.json
+      - name: Attach SBOM to release
+        uses: softprops/action-gh-releasecbd405e2c4e67a21c47fa9e383d020e4@e28b836
+        with:
+          files: |
+            sbom-cyclonedx.json
+            sbom-cyclonedx.json.sig
+            sbom-cyclonedx.json.crt
@@ -3,6 +3,7 @@ on:
   release: { types: [published] }
   workflow_dispatch:
 permissions:
+  attestations: write
   contents: write
   id-token: write
 jobs:

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-nodeea5288caeca8642d1e84afbd3f7d@6820020
         with: { node-version: "20" }
       - run: npm ci
       # Placeholder para fuzz real; mantener job verde

@@ -9,7 +9,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeleredcd8ababfe52f92936142cc22a@c488b1b
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           sync-labels: true

@@ -30,7 +30,7 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          publish_results: false
+          publish_results: true
 
       - name: Upload SARIF to code scanning
         uses: github/codeql-action/upload-sarif@v3

@@ -15,3 +15,4 @@ _ci_redfix/
 # local artifacts
 _ci_local/
 .tools/
+_ci_diag/
@@ -9,3 +9,4 @@ poetry.lock
 
 pnpm-lock.yaml
 pnpm-lock.yaml
+_ci_diag/
@@ -1,4 +1,4 @@
-FROM busybox:stable-glibc
+FROM busybox:stable-glibc@sha256:4a35a7836fe08f340a42e25c4ac5eef4439585bbbb817b7bd28b2cd87c742642
 LABEL org.opencontainers.image.title="ci-matrix-starter"
 LABEL org.opencontainers.image.description="Reusable GitHub Actions CI for Python/TypeScript with SBOM & optional signing"
 LABEL org.opencontainers.image.source="https://github.com/CoderDeltaLAN/ci-matrix-starter"

@@ -1,6 +1,6 @@
 {
   "name": "@CoderDeltaLAN/ci-matrix-starter",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "private": true,
   "type": "module",
   "scripts": {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -9,3 +9,4 @@ poetry.lock

		pnpm-lock.yaml
		pnpm-lock.yaml
		_ci_diag/