Harden .NET supply chain with SBOMs, Trivy scan, provenance, and artifact attestation

[eNeRGy164]

This PR introduces a comprehensive supply chain security upgrade for the build and release process of this repository.
The goal: ensure all published packages are verifiably authentic, free of known vulnerabilities, and fully traceable, following industry best practices (SBOM, provenance, and attestation).

Summary of Changes

• GitHub Actions pipeline hardening:

  • All actions pinned by SHA for supply chain trust.
  • Minimal workflow permissions (contents, packages, id-token, attestations).
  • Trivy vulnerability DB is cached for fast, consistent scans.
  • Automated upload and attestation of SBOMs with actions/attest-sbom.
  • Artifacts and SBOMs are uploaded for release and provenance.

• Nuke build enhancements:

  • Clean, deterministic build and test process.
  • Strict Git state check, ensures only committed code is built in CI.
  • SBOMs generated via sbom-tool for all deliverables.
  • Source tree scanned with Trivy for vulnerabilities, secrets, and misconfigurations.
  • Hashing of all build artifacts (.nupkg and .snupkg), with aggregate SHA256SUMS file for attestation.
  • Artifact hash verification before publishing to NuGet or GitHub Packages.
  • Audit steps for vulnerable and deprecated dependencies.
  • Results are ready for attestation with GitHub’s OIDC-based API.

• Best practices documentation:

  • Extensive code and workflow comments to guide future maintainers on what and why of each security step.

Why?

• To protect consumers from supply chain attacks, accidental leaks, or dependency vulnerabilities.
• To provide SBOMs and cryptographic provenance, following industry/government requirements and SLSA guidance.
• To enable downstream automation and audit with verifiable evidence of build and package integrity.
• To set an example of secure .NET package delivery for the open-source community.

How to verify

• Inspect workflow runs for successful artifact and SBOM attestation.
• Check that all deliverables are accompanied by their hashes and SBOMs.
• Review PR/commit for explanatory comments on security controls.

[Copilot]

Pull Request Overview

This PR implements comprehensive supply chain security measures for the .NET package build and release process, focusing on verifiable authenticity, vulnerability scanning, and full traceability through SBOMs and attestations.

Key changes include:

• Complete GitHub Actions workflow hardening with SHA-pinned actions, minimal permissions, and OIDC-based attestations
• Enhanced Nuke build system with SBOM generation, Trivy security scanning, artifact hashing, and dependency auditing
• Addition of reproducible build controls including clean git state verification and locked dependency restoration

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
global.json	Pins .NET SDK version for reproducible builds
gitversion.yaml	Simplifies pull request branch regex pattern
build/_build.csproj	Updates tool versions and adds Microsoft SBOM tool
build/Build.cs	Major enhancement adding security scanning, SBOM generation, artifact hashing, and supply chain verification
.nuke/build.schema.json	Updates schema to reflect new build targets
.github/workflows/continuous.yml	Complete workflow overhaul with SHA-pinned actions, caching, attestations, and SBOM upload

Comments suppressed due to low confidence (1)

global.json:3

• The .NET SDK version 8.0.412 does not exist. The latest .NET 8 SDK version as of my knowledge cutoff is 8.0.404. Please verify this version exists or use a known stable version like 8.0.404.

    "version": "8.0.412",

[coveralls]

Pull Request Test Coverage Report for Build 16632972189

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+1.9%) to 98.148%

---

Totals
Change from base Build 16116985861:	1.9%
Covered Lines:	573
Relevant Lines:	578

---

💛 - Coveralls