fix(ci): remove unverified Syft download in SBOM workflow

[seonghobae]

Motivation

• The SBOM workflow previously downloaded a Syft tarball at runtime and executed the binary in a job with contents: write, creating a supply-chain risk if the release or transport were tampered with.
• The intent of the change is to remove execution of an unverified network-fetched binary while preserving SBOM generation and artifact upload behavior.

Description

• Removed the ad-hoc curl + tar installation and execution of Syft from .github/workflows/sbom.yml and replaced SBOM generation with the pinned action anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d.
• Kept SBOM output filename and artifact upload steps intact so downstream consumers are unaffected (bandscope-sbom.cdx.json artifact still produced and uploaded).
• Security Notes: eliminated direct execution of a network-fetched tarball in CI, reduced the trust boundary by using a commit-pinned action reference, and ensured the job fails safely if SBOM generation fails.

Testing

• Ran python3 scripts/checks/verify_supply_chain.py which passed successfully, validating the supply-chain baseline after the workflow update.

---

Codex Task

📝 Walkthrough

Walkthrough

GitHub Actions 워크플로우에서 Syft 도구의 명시적 설치 및 CLI 직접 호출을 전담 GitHub Action(anchore/sbom-action)으로 대체하여 CycloneDX SBOM을 생성합니다. 기존 다운로드 및 추출 단계는 제거되고 새로운 단계가 실행됩니다.

Changes

Cohort / File(s)	Summary
SBOM Generation Workflow .github/workflows/sbom.yml	Syft의 명시적 설치 단계를 제거하고 anchore/sbom-action GitHub Action으로 대체. CycloneDX JSON 형식으로 SBOM 생성 자동화 구성. 업로드 단계는 유지.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 깡충깡충, 새로운 액션이 나타나
Syft는 물러나고, 가벼워진 워크플로우
CycloneDX 보물이 더 쉽게 생겨나니
SBOM의 마법, 한 줄로 완성되었네! ✨

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 18b6dda3-45ad-41f6-8a22-efd364ea88cc

📥 Commits

Reviewing files that changed from the base of the PR and between 4460300 and 6f706c5.

📒 Files selected for processing (1)

• .github/workflows/sbom.yml

---

📝 Walkthrough

Summary by CodeRabbit

Chores

• SBOM(소프트웨어 자재명세서) 생성 워크플로우를 개선했습니다. 수동 바이너리 다운로드 방식에서 GitHub 액션 기반 자동화 방식으로 전환하여 빌드 프로세스의 효율성과 유지보수성을 향상했습니다.

Walkthrough

GitHub Actions 워크플로우에서 Syft 바이너리 다운로드 및 직접 실행 단계를 제거하고, anchore/sbom-action 액션을 사용해 리포지토리 경로(.)를 스캔해 CycloneDX JSON SBOM을 생성하도록 변경했습니다. 액션의 아티팩트/릴리스 업로드는 비활성화되어 기존 업로드 단계가 그대로 사용됩니다.

Changes

Cohort / File(s)	Summary
SBOM Generation Workflow ​.github/workflows/sbom.yml	Syft 바이너리 다운로드/추출 및 직접 실행("$RUNNER_TEMP/syft" ...) 단계 제거. anchore/sbom-action으로 교체하여 path: ., format: cyclonedx-json, output-file: bandscope-sbom.cdx.json로 SBOM 생성. 액션 내 업로드 설정(upload-artifact, upload-release-assets)은 false로 비활성화.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 깡충, 워크플로우가 바뀌었네
Syft는 짐을 내려두고 떠나고
액션 한 번에 CycloneDX가 반짝
보물 파일은 조용히 태어났네 ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목은 PR의 주요 변경 사항인 검증되지 않은 Syft 다운로드 제거를 명확하게 요약하고 있으며, 보안 수정 사항과 직접적으로 관련이 있습니다.
Description check	✅ Passed	설명은 변경의 동기, 구체적인 구현 사항, 테스트 결과, 보안 개선 사항을 상세히 다루고 있으며 변경 사항과 완전히 일치합니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-syft-ci-vulnerability-by-adding-verification

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sbom.yml:
- Around line 42-46: The SBOM step using
anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d currently relies on
its defaults which enable upload-artifact and upload-release-assets; disable
these automatic uploads by adding explicit inputs upload-artifact: false and
upload-release-assets: false to the anchore/sbom-action invocation (the block
containing uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d
and with: path/format/output-file) so the workflow stops duplicating uploads
that are already handled by the separate actions/upload-artifact and gh release
upload steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d03cfee2-e052-4131-99c9-4b244834fa36

📥 Commits

Reviewing files that changed from the base of the PR and between 169f05a and 4460300.

📒 Files selected for processing (1)

• .github/workflows/sbom.yml

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.