dotnet-sdk icon indicating copy to clipboard operation
dotnet-sdk copied to clipboard
verified publisher icon open-feature

Add SBOM Attestations

Open askpt opened this issue 7 months ago • 0 comments

Overview

Similar to the approach taken in open-feature/dotnet-sdk-contrib#393, we should implement SBOM (Software Bill of Materials) attestations for the NuGet package produced by this repository. This improvement aligns with our commitment to maintaining a secure and transparent software supply chain.

Why This is Important

SBOMs provide a detailed inventory of the components and dependencies in the software, enhancing transparency, security, and compliance. Enabling SBOM attestations ensures that our NuGet package complies with modern security and supply chain best practices.

Reference

For more details on creating SBOM attestations using GitHub Actions, refer to this guide by Andrew Lock: Creating SBOM Attestations in GitHub Actions.

Tasks

  • [x] Update our GitHub Actions workflows to generate SBOM attestations for the NuGet package.
  • [x] Test and verify the generated SBOMs for accuracy.
  • [x] Upgrade action googleapis/release-please-action to v4

askpt avatar May 12 '25 15:05 askpt