Problem
Published images and compiled CLI artifacts need a verifiable build and dependency story. Current workflows do not publish SBOMs or provenance attestations, action references are tag-based, the base image is tag-based, and example binary downloads do not verify checksums.
Scope
- Pin GitHub Actions and base images by immutable digest.
- Verify downloaded release binaries with published checksums.
- Generate SBOMs for container and CLI artifacts.
- Publish build provenance attestations for GHCR images and release binaries.
- Add dependency update automation and vulnerability/container scanning.
- Document how users verify artifacts.
Acceptance criteria
An operator can verify the origin and dependency inventory of every released image and CLI binary.
Problem
Published images and compiled CLI artifacts need a verifiable build and dependency story. Current workflows do not publish SBOMs or provenance attestations, action references are tag-based, the base image is tag-based, and example binary downloads do not verify checksums.
Scope
Acceptance criteria
An operator can verify the origin and dependency inventory of every released image and CLI binary.