Add SBOM release metadata

[krotname]

Summary

• add CycloneDX SBOM generation to release assets
• include SBOM in checksums and GitHub release upload
• make release provenance attestation mandatory
• document release verification and supply-chain controls

Validation

• workflow YAML parse and bash syntax checks
• git diff --check

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fdd1ad63c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a concrete SBOM path for attestation

In the release job, this action input is not run through a shell, so the * is passed literally to actions/attest. I checked the pinned action: only subject-path is documented as accepting globs, while sbom-path is read directly with fs.stat(filePath), which will fail here with SBOM file not found because the generated file is named MarkdownTableEditor-$VERSION-sbom.cdx.json. Any release that reaches this step will fail before publishing.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include the CycloneDX serialNumber

After the SBOM path is made explicit, the generated CycloneDX document is still rejected by the same pinned actions/attest code: its CycloneDX detector requires bomFormat, serialNumber, and specVersion, but this JSON only emits bomFormat and specVersion. That makes the SBOM attestation fail with Unsupported SBOM format, blocking releases that use the new SBOM step.

Useful? React with 👍 / 👎.