Harden .NET supply chain with SBOMs, Trivy scan, provenance, and artifact attestation

.github/workflows/continuous.yml

@@ -1,47 +1,99 @@
+# This workflow builds, scans, and publishes .NET NuGet packages
+# using secure best practices: pinned actions, minimal permissions,
+# SBOM + hash-based supply chain attestations.
+
 name: Continuous
 
 on:
   push:
     branches:
-      - main
+      - main           # Only run on pushes to main
   pull_request:
     branches:
-      - main
+      - main           # Only run on PRs targeting main
   release:
-    types: [created]
+    types: [created]   # Run when a release is created
+
+# Least privilege permissions for the workflow by default
+permissions:
+  contents: read
+  packages: none
+  id-token: none
+  attestations: none
 
 jobs:
-  ubuntu-latest:
-    name: ubuntu-latest
-    runs-on: ubuntu-latest
+  build:
+    name: Build & Push
+    runs-on: ubuntu-24.04 # Use a modern, stable Ubuntu runner
+
+    # This job needs to publish, attest, and sign—so grant only here
     permissions:
-      contents: read
-      id-token: write
-      attestations: write
+      contents: read       # Allow only reading repo content
+      packages: write      # Allow publishing to GitHub Packages
+      id-token: write      # For OIDC-based signing/provenance
+      attestations: write  # For attest-sbom (SBOM attestation)
+
     steps:
-      - uses: actions/checkout@v4
+
+      # Pin every action by SHA for supply chain security!
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          fetch-depth: 0
+          fetch-depth: 0    # Fetch full history, so GitVersion and clean git state work
+
+      # Cache Nuke temp + NuGet global packages for faster builds and repeatable environments
       - name: 'Cache: .nuke/temp, ~/.nuget/packages'
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             .nuke/temp
             ~/.nuget/packages
           key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }}
+
+      # Cache the Trivy vulnerability DB for much faster scanning
+      - name: Cache Trivy DB
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
+        with:
+          path: .trivy-cache
+          key: ${{ runner.os }}-trivy-cache
+
+      # Run your hardened Nuke pipeline, which does: build, test, SBOM, hash, scan, etc.
       - name: 'Run: Push'
         run: ./build.cmd Push
         env:
-          FeedGitHubToken: ${{ secrets.FEED_GITHUB_TOKEN }}
+          FeedGitHubToken: ${{ secrets.GITHUB_TOKEN }}
           NuGetApiKey: ${{ secrets.NUGET_API_KEY }}
+
+      # Report test coverage to Coveralls
       - name: Report Coveralls
-        uses: coverallsapp/github-action@v2
-      - name: 'Attest: Build Provenance'
-        uses: actions/attest-build-provenance@v1
-        with:
-          subject-path: 'Artifacts/*.nupkg,Artifacts/*.snupkg'
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
+
+      # Upload all build artifacts (NuGet packages, hash files, etc.) for inspection or later release
       - name: 'Publish: Artifacts'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: Artifacts
           path: Artifacts
+
+      # Upload the Software Bill of Materials (SBOM) for this build, to enable downstream trust/analysis
+      - name: Upload SBOM
+        if: >
+          (github.event_name == 'release') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-shared-lib')
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: SBOM
+          path: Sbom/_manifest/spdx_2.2/manifest.spdx.json
+
+      # Use GitHub's attest-sbom action to cryptographically tie the SBOM to the artifacts + their checksums
+      # (SLSA provenance proof, can be verified by downstream consumers)
+      - name: Attest SBOM
+        if: >
+          (github.event_name == 'release') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-shared-lib')
+        uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b
+        with:
+          sbom-path: Sbom/_manifest/spdx_2.2/manifest.spdx.json
+          subject-path: |
+            Artifacts/*.nupkg
+            Artifacts/*.snupkg
+          subject-checksums: Artifacts/SHA256SUMS

.gitignore

@@ -263,4 +263,9 @@ paket-files/
 *.sln.iml
 pub/
 
-**/launchSettings.json
+**/launchSettings.json
+
+.trivy-cache
+.nuke/temp
+[Aa]rtifacts
+[Ss]bom

.nuke/build.schema.json

@@ -24,16 +24,21 @@
     "ExecutableTarget": {
       "type": "string",
       "enum": [
+        "Audit",
         "CalculateVersion",
         "Clean",
         "CodeCoverage",
         "Compile",
         "Pack",
+        "Proof",
         "Push",
         "PushGithub",
         "PushNuget",
         "Restore",
-        "UnitTests"
+        "SbomDeliverable",
+        "ScanSource",
+        "UnitTests",
+        "VerifyCleanGit"
       ]
     },
     "Verbosity": {

Directory.Packages.props

@@ -8,7 +8,6 @@
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageVersion Include="Nuke.Common" Version="9.0.4" />
     <PackageVersion Include="Nuke.Components" Version="9.0.4" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
     <PackageVersion Include="Shouldly" Version="4.3.0" />
   </ItemGroup>