From 689fcb838e79de72ac52ad343542de1d33f3641f Mon Sep 17 00:00:00 2001
From: SASAGAWA Kiyoshi <sasagawa@kent-and-co.com>
Date: Thu, 14 May 2026 02:24:58 +0900
Subject: [PATCH] chore: phase 2 supply-chain hardening (SBOM + provenance)
 (refs #168)

Adds SBOM generation and build provenance attestation to release
workflows. Users can now audit dependency trees and verify that
release artifacts originate from this repository at a specific commit.

Workflows:
- auto-tag.yml, release.yml: generate SPDX-JSON SBOM via Syft
  (anchore/sbom-action), attest provenance via Sigstore
  (actions/attest-build-provenance), attach SBOM to GitHub Release
- Permissions: opt-in id-token: write, attestations: write per job

Pinned to SHA:
- anchore/sbom-action@e22c389 (v0.24.0)
- actions/attest-build-provenance@a2bbfa2 (v4.1.0)

Side fix:
- .gitignore: add .playwright-mcp/ to prevent Playwright MCP
  snapshot/screenshot artifacts from being tracked
---
 .github/workflows/auto-tag.yml | 19 +++++++++++++++++++
 .github/workflows/release.yml  | 19 +++++++++++++++++++
 .gitignore                     |  4 ++++
 3 files changed, 42 insertions(+)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 3f67be8b..8e2b12c7 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -74,6 +74,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write       # for sigstore signing via GitHub OIDC
+      attestations: write   # for actions/attest-build-provenance
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
@@ -257,6 +259,21 @@ jobs:
 
           cat CHANGELOG.md
 
+      - name: Generate SBOM (SPDX-JSON)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          path: .
+          format: spdx-json
+          artifact-name: rox-${{ needs.auto-tag.outputs.version }}.spdx.json
+          output-file: rox-${{ needs.auto-tag.outputs.version }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: rox-${{ needs.auto-tag.outputs.version }}.spdx.json
+
       - name: Create Release
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
@@ -265,5 +282,7 @@ jobs:
           body_path: CHANGELOG.md
           prerelease: ${{ steps.check.outputs.is_prerelease }}
           draft: false
+          files: |
+            rox-${{ needs.auto-tag.outputs.version }}.spdx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 32be4490..f562644a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,6 +41,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write       # for sigstore signing via GitHub OIDC
+      attestations: write   # for actions/attest-build-provenance
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
@@ -257,6 +259,21 @@ jobs:
 
           cat CHANGELOG.md
 
+      - name: Generate SBOM (SPDX-JSON)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          path: .
+          format: spdx-json
+          artifact-name: rox-${{ steps.version.outputs.version }}.spdx.json
+          output-file: rox-${{ steps.version.outputs.version }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: rox-${{ steps.version.outputs.version }}.spdx.json
+
       - name: Create Release
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
@@ -266,5 +283,7 @@ jobs:
           prerelease: ${{ steps.check.outputs.is_prerelease }}
           draft: false
           generate_release_notes: false
+          files: |
+            rox-${{ steps.version.outputs.version }}.spdx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
index f3a37c09..3a59f6fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -94,5 +94,9 @@ docker/certs/*-key.pem
 # cipher data
 cipherdata/
 cipher.yml
+
 # Jujutsu
 .jj/
+
+# Playwright MCP snapshots / screenshots (test artifacts)
+.playwright-mcp/