ci: add SBOM, signed provenance, and publish-side npm audit (#27)

Resolves the 7 open code-scanning findings (GHA-006, GHA-007, GHA-020,
GHA-024) on ci.yml and publish.yml:

  - publish.yml: gate on `npm audit --omit=dev --audit-level=high`
    before packaging so a vuln landing between CI and tag-push still
    trips the publish.
  - both workflows: produce a CycloneDX SBOM via anchore/sbom-action.
    Publish attaches it to the GitHub release; CI uploads it as the
    `sbom` artifact.
  - both workflows: emit a signed SLSA build provenance attestation
    for the .vsix via actions/attest-build-provenance (OIDC + Sigstore
    keyless). Covers both signing and provenance in one step.

CI's attest step is gated on `push` events — fork-PR runs get
read-only tokens and can't mint OIDC tokens or write attestations.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: dmartinochoa

.github/workflows/ci.yml

@@ -19,6 +19,13 @@ permissions:
   # gracefully without this (GitHub strips write tokens for forks), so
   # the gap only surfaced on the first push: main run.
   security-events: write
+  # attest-build-provenance needs an OIDC token (id-token) and write
+  # access to the repo's attestations store. Same fork caveat as
+  # security-events — declared here for push:main runs, gated by
+  # `if:` on the attest step so fork-PR runs don't fail trying to use
+  # them.
+  id-token: write
+  attestations: write
 
 jobs:
   check:
@@ -115,6 +122,29 @@ jobs:
         # bumps it via the npm config. `npm ci` has already installed it.
         run: npx vsce package --out pipeline-check.vsix
 
+      - name: Generate SBOM (CycloneDX)
+        # Linux-only — one SBOM per run is enough; the matrix legs
+        # would produce identical content from the same lockfile.
+        # Mirrors the publish workflow's SBOM step so a release SBOM
+        # can be diffed against a CI SBOM if the trees diverge.
+        if: matrix.os == 'ubuntu-latest'
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
+        with:
+          format: cyclonedx-json
+          output-file: pipeline-check-sbom.cdx.json
+          artifact-name: sbom
+
+      - name: Attest build provenance
+        # Produces a signed SLSA build provenance attestation for the
+        # CI .vsix via OIDC + Sigstore keyless signing. Gated on
+        # `push` because fork-PR runs get read-only tokens that
+        # cannot mint OIDC tokens or write attestations. Linux-only
+        # — same one-per-run rationale as the SBOM step.
+        if: github.event_name == 'push' && matrix.os == 'ubuntu-latest'
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-path: pipeline-check.vsix
+
       - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7
         # Single artefact upload from the Linux job; identical-name
         # uploads from the matrix would collide.

.github/workflows/publish.yml

@@ -50,7 +50,9 @@ jobs:
     # publish steps will block on the environment gate.
     environment: production
     permissions:
-      contents: write   # needed by the "Create GitHub release" step
+      contents: write       # needed by the "Create GitHub release" step
+      id-token: write       # OIDC for sigstore signing via attest-build-provenance
+      attestations: write   # store the SLSA provenance attestation on the repo
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
         with:
@@ -121,6 +123,13 @@ jobs:
       - name: Bundle smoke
         run: npm run smoke
 
+      - name: npm audit (prod deps, high+)
+        # Block the publish if a HIGH/CRITICAL advisory affects a
+        # runtime dependency. Dev-only deps are out of scope — they
+        # don't ship in the .vsix. Mirrors the CI gate so a vuln that
+        # lands between CI and tag-push still trips here.
+        run: npm audit --omit=dev --audit-level=high
+
       - name: Detect pre-release tag
         # A tag like `v0.2.0-rc.1` (anything with a `-` after the
         # semver core) ships to the marketplace's pre-release channel
@@ -151,6 +160,31 @@ jobs:
           npx vsce package $PRERELEASE_FLAG --out "pipeline-check-${version}.vsix"
           ls -lh "pipeline-check-${version}.vsix"
           echo "VSIX_PATH=pipeline-check-${version}.vsix" >> $GITHUB_ENV
+          echo "SBOM_PATH=pipeline-check-${version}-sbom.cdx.json" >> $GITHUB_ENV
+
+      - name: Generate SBOM (CycloneDX)
+        # Scans package-lock.json so the SBOM captures the full
+        # production + transitive dep set, not just the tree-shaken
+        # bundle inside the .vsix. Output is attached to the GitHub
+        # release below so marketplace consumers can ingest it into
+        # their vuln-management pipeline.
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
+        with:
+          format: cyclonedx-json
+          output-file: ${{ env.SBOM_PATH }}
+          # Suppress the action's own artifact upload — we ship the
+          # SBOM via `gh release create` below instead.
+          upload-artifact: false
+
+      - name: Attest build provenance
+        # Produces a signed SLSA build provenance attestation for the
+        # .vsix using GitHub's OIDC token and Sigstore's keyless
+        # signing flow. Satisfies both signing (cosign/sigstore) and
+        # SLSA provenance — consumers can verify with
+        # `gh attestation verify <vsix> --owner greylag-ci`.
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-path: ${{ env.VSIX_PATH }}
 
       - name: Publish to VS Code Marketplace
         env:
@@ -175,6 +209,6 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           version=$(node -p "require('./package.json').version")
-          gh release create "v${version}" "$VSIX_PATH" $GH_PRERELEASE \
+          gh release create "v${version}" "$VSIX_PATH" "$SBOM_PATH" $GH_PRERELEASE \
             --title "v${version}" \
             --notes-file <(awk '/^## \[/{n++} n==2{exit} n==1{print}' CHANGELOG.md)