Add SBOM release metadata

.github/workflows/release.yml

@@ -87,15 +87,36 @@ jobs:
 
       - name: Generate release checksums
         shell: bash
+        env:
+          VERSION: ${{ needs.version.outputs.version }}
         run: |
           mapfile -t files < <(find release-assets -type f -name '*.zip' | sort)
           if [ "${#files[@]}" -eq 0 ]; then
             echo "No release ZIP files were downloaded." >&2
             exit 1
           fi
 
+          timestamp="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+          sbom_file="release-assets/MarkdownTableEditorIdea-$VERSION-sbom.cdx.json"
+          cat > "$sbom_file" <<EOF
+          {
+            "bomFormat": "CycloneDX",
+            "specVersion": "1.6",
+            "version": 1,
+            "metadata": {
+              "timestamp": "$timestamp",
+              "component": {
+                "type": "application",
+                "name": "IdeaMarkdownTableEditor",
+                "version": "$VERSION",
+                "purl": "pkg:github/krotname/IdeaMarkdownTableEditor@v$VERSION"
+              }
+            }
+          }
+          EOF
+
           marketplace_doc="$(find release-assets -type f -name 'MARKETPLACE_SUBMISSION.md' | sort | head -n 1)"
-          checksum_files=("${files[@]}")
+          checksum_files=("${files[@]}" "$sbom_file")
           if [ -n "$marketplace_doc" ]; then
             checksum_files+=("$marketplace_doc")
           fi
@@ -107,6 +128,11 @@ jobs:
         uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
         with:
           subject-checksums: SHA256SUMS.txt
+      - name: Generate release SBOM attestation
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
+        with:
+          subject-path: release-assets/**/*.zip
+          sbom-path: release-assets/*-sbom.cdx.json
 
       - name: Publish GitHub release
         shell: bash
@@ -115,7 +141,7 @@ jobs:
           TAG_NAME: ${{ needs.version.outputs.tag }}
           VERSION: ${{ needs.version.outputs.version }}
         run: |
-          mapfile -t files < <(find release-assets -type f -name '*.zip' | sort)
+          mapfile -t files < <(find release-assets -type f \( -name '*.zip' -o -name '*-sbom.cdx.json' \) | sort)
           if [ "${#files[@]}" -eq 0 ]; then
             echo "No release ZIP files were downloaded." >&2
             exit 1
@@ -126,14 +152,15 @@ jobs:
           ## Builds / Downloads
 
           - [MarkdownTableEditorIdea-$VERSION.zip](https://github.com/krotname/IdeaMarkdownTableEditor/releases/download/v$VERSION/MarkdownTableEditorIdea-$VERSION.zip)
+          - [MarkdownTableEditorIdea-$VERSION-sbom.cdx.json](https://github.com/krotname/IdeaMarkdownTableEditor/releases/download/v$VERSION/MarkdownTableEditorIdea-$VERSION-sbom.cdx.json)
           - [SHA256SUMS.txt](https://github.com/krotname/IdeaMarkdownTableEditor/releases/download/v$VERSION/SHA256SUMS.txt)
           - [MARKETPLACE_SUBMISSION.md](https://github.com/krotname/IdeaMarkdownTableEditor/releases/download/v$VERSION/MARKETPLACE_SUBMISSION.md)
 
           ## What's Changed
 
           - Hardened GitHub Actions permissions, dependency review, CodeQL, Scorecard, and release checks after repository audit.
           - Refreshed the Gradle wrapper and build baseline used for the JetBrains IDE plugin package.
-          - Rebuilt the plugin ZIP with SHA-256 sums and provenance-ready release assets.
+          - Rebuilt the plugin ZIP with SHA-256 sums, SBOM, and GitHub attestations.
 
           ## Validation
 

README.en.md

@@ -64,6 +64,16 @@ The GIF is built from real JetBrains IDE screenshots on Windows: a regular `.md`
 
 The plugin is packaged as a dynamic plugin and is designed to install without restarting compatible JetBrains IDEs. If the IDE asks for a restart, the platform has detected a loading or unloading limitation in the current session.
 
+## Release Verification
+
+Each GitHub release publishes the plugin ZIP, `MARKETPLACE_SUBMISSION.md`,
+`SHA256SUMS.txt`, CycloneDX SBOM, and GitHub attestations.
+
+```bash
+sha256sum -c SHA256SUMS.txt
+gh attestation verify MarkdownTableEditorIdea-*.zip --repo krotname/IdeaMarkdownTableEditor
+```
+
 ## Compatibility
 
 The plugin is built with Java 17 bytecode and declares compatibility with IntelliJ Platform `223+` without an `until-build` upper bound.

README.md

@@ -64,6 +64,16 @@ GIF собран из реальных скриншотов IDE JetBrains под
 
 Плагин собран как dynamic plugin и рассчитан на установку без перезапуска IDE в совместимых версиях продуктов JetBrains. Если сама IDE попросит перезапуск, значит платформа обнаружила ограничение загрузки или выгрузки в текущей сессии.
 
+## Проверка Релиза
+
+Каждый GitHub release публикует plugin ZIP, `MARKETPLACE_SUBMISSION.md`,
+`SHA256SUMS.txt`, CycloneDX SBOM и GitHub attestations.
+
+```bash
+sha256sum -c SHA256SUMS.txt
+gh attestation verify MarkdownTableEditorIdea-*.zip --repo krotname/IdeaMarkdownTableEditor
+```
+
 ## Совместимость
 
 Плагин собран в bytecode Java 17 и заявляет совместимость с IntelliJ Platform `223+` без верхней границы `until-build`.

SECURITY.md

@@ -20,3 +20,9 @@ Include:
 - suggested mitigation if available.
 
 The maintainer aims to acknowledge valid reports within 48 hours and provide a remediation timeline after the impact is confirmed.
+
+## Supply-chain controls
+
+- Release packages include the plugin ZIP, `MARKETPLACE_SUBMISSION.md`, `SHA256SUMS.txt`, CycloneDX SBOM, and GitHub attestations.
+- GitHub Actions are pinned by immutable commit SHA.
+- Dependency Review, CodeQL, Scorecard, and actionlint run as repository quality gates.