187

.github/workflows/release.yml

@@ -13,6 +13,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
 jobs:
   checks:
     uses: ./.github/workflows/reusable-ci.yml
@@ -163,3 +168,91 @@ jobs:
           done
           echo "Failed to publish masterror after retries."
           exit 1
+
+  security:
+    runs-on: ubuntu-latest
+    needs: publish
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Install cargo-cyclonedx
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-cyclonedx
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Generate SBOM (CycloneDX)
+        shell: bash
+        run: |
+          set -euo pipefail
+          cargo cyclonedx --format json --all-features
+          mv masterror.cdx.json sbom.json
+          echo "SBOM generated: sbom.json"
+
+      - name: Package crates for release
+        shell: bash
+        run: |
+          set -euo pipefail
+          cargo package --locked
+          echo "Crates packaged in target/package/"
+
+      - name: Sign SBOM with Sigstore
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign sign-blob \
+            --bundle sbom.cosign.bundle \
+            --yes \
+            sbom.json
+          echo "SBOM signed with Sigstore"
+
+      - name: Sign crate artifacts
+        shell: bash
+        run: |
+          set -euo pipefail
+          for crate in target/package/*.crate; do
+            if [ -f "$crate" ]; then
+              cosign sign-blob \
+                --bundle "${crate}.cosign.bundle" \
+                --yes \
+                "$crate"
+              echo "Signed: $crate"
+            fi
+          done
+
+      - name: Generate build provenance attestations
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            sbom.json
+            target/package/*.crate
+
+      - name: Upload SBOM to release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            sbom.json
+            sbom.cosign.bundle
+            target/package/*.crate
+            target/package/*.crate.cosign.bundle
+
+      - name: Upload security artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-artifacts
+          path: |
+            sbom.json
+            sbom.cosign.bundle
+            target/package/*.crate.cosign.bundle
+          retention-days: 90

README.md

@@ -488,4 +488,3 @@ assert_eq!(problem.grpc.expect("grpc").name, "UNAUTHENTICATED");
 
 MSRV: **1.90** · License: **MIT OR Apache-2.0** · No `unsafe`
 
-