From fdd1ad63c1258e41f72537b4d9879f02332e3270 Mon Sep 17 00:00:00 2001
From: "Andrei.Ovcharenko" <Andrei.Ovcharenko@lomt.ru>
Date: Sun, 21 Jun 2026 00:29:29 +0300
Subject: [PATCH] Add SBOM release metadata

---
 .github/workflows/release.yml | 32 ++++++++++++++++++++++++++++----
 README.en.md                  | 10 ++++++++++
 README.md                     | 10 ++++++++++
 SECURITY.md                   |  6 ++++++
 4 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 49b8cb1..aafa7f3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -124,6 +124,8 @@ jobs:
 
       - name: Generate release checksums
         shell: bash
+        env:
+          VERSION: ${{ needs.version.outputs.version }}
         run: |
           mkdir -p release-files
           mapfile -t downloaded_files < <(find release-assets -type f -name '*.zip' | sort)
@@ -136,15 +138,37 @@ jobs:
             cp "$file" "release-files/$(basename "$file")"
           done
 
-          mapfile -t files < <(find release-files -maxdepth 1 -type f -name '*.zip' | sort)
+          timestamp="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+          cat > "release-files/MarkdownTableEditor-$VERSION-sbom.cdx.json" <<EOF
+          {
+            "bomFormat": "CycloneDX",
+            "specVersion": "1.6",
+            "version": 1,
+            "metadata": {
+              "timestamp": "$timestamp",
+              "component": {
+                "type": "application",
+                "name": "NppMarkdownTableEditor",
+                "version": "$VERSION",
+                "purl": "pkg:github/krotname/NppMarkdownTableEditor@v$VERSION"
+              }
+            }
+          }
+          EOF
+
+          mapfile -t files < <(find release-files -maxdepth 1 -type f \( -name '*.zip' -o -name '*-sbom.cdx.json' \) | sort)
           sha256sum "${files[@]}" > SHA256SUMS.txt
           cat SHA256SUMS.txt
 
       - name: Generate release provenance attestation
-        continue-on-error: true
         uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
         with:
           subject-checksums: SHA256SUMS.txt
+      - name: Generate release SBOM attestation
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
+        with:
+          subject-path: release-files/*.zip
+          sbom-path: release-files/*-sbom.cdx.json
 
       - name: Publish GitHub release
         shell: bash
@@ -153,7 +177,7 @@ jobs:
           TAG_NAME: ${{ needs.version.outputs.tag }}
           VERSION: ${{ needs.version.outputs.version }}
         run: |
-          mapfile -t files < <(find release-files -maxdepth 1 -type f -name '*.zip' | sort)
+          mapfile -t files < <(find release-files -maxdepth 1 -type f \( -name '*.zip' -o -name '*-sbom.cdx.json' \) | sort)
           if [ "${#files[@]}" -eq 0 ]; then
             echo "No release ZIP files were downloaded." >&2
             exit 1
@@ -163,7 +187,7 @@ jobs:
 
           - Hardened GitHub Actions permissions, dependency review, CodeQL, Scorecard, release packaging, and remote-update checks after repository audit.
           - Refreshed compatibility smoke scripts and packaging targets for the current Notepad++ plugin release baseline.
-          - Rebuilt x86, x64, and arm64 plugin ZIPs plus Plugin Admin ZIPs with SHA-256 sums.
+          - Rebuilt x86, x64, and arm64 plugin ZIPs plus Plugin Admin ZIPs with SHA-256 sums, SBOM, and GitHub attestations.
 
           ## Validation
 
diff --git a/README.en.md b/README.en.md
index 1bc5aa2..ec99d6f 100644
--- a/README.en.md
+++ b/README.en.md
@@ -68,6 +68,16 @@ If Windows does not allow writing to `Program Files`, install the plugin in the
 %LOCALAPPDATA%\Notepad++\plugins\MarkdownTableEditor\MarkdownTableEditor.dll
 ```
 
+## Release Verification
+
+Each release publishes x86/x64/arm64 ZIP archives, Plugin Admin ZIPs,
+`SHA256SUMS.txt`, CycloneDX SBOM, and GitHub attestations.
+
+```bash
+sha256sum -c SHA256SUMS.txt
+gh attestation verify MarkdownTableEditor-*-x64.zip --repo krotname/NppMarkdownTableEditor
+```
+
 ## Publication
 
 - Official Notepad++ Plugin List pull request: https://github.com/notepad-plus-plus/nppPluginList/pull/1115
diff --git a/README.md b/README.md
index a4f544e..34747c1 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,16 @@ C:\Program Files\Notepad++\plugins\MarkdownTableEditor\MarkdownTableEditor.dll
 %LOCALAPPDATA%\Notepad++\plugins\MarkdownTableEditor\MarkdownTableEditor.dll
 ```
 
+## Проверка Релиза
+
+Каждый release публикует ZIP-архивы для x86/x64/arm64, Plugin Admin ZIP,
+`SHA256SUMS.txt`, CycloneDX SBOM и GitHub attestations.
+
+```bash
+sha256sum -c SHA256SUMS.txt
+gh attestation verify MarkdownTableEditor-*-x64.zip --repo krotname/NppMarkdownTableEditor
+```
+
 ## Публикация
 
 - PR в официальный Notepad++ Plugin List: https://github.com/notepad-plus-plus/nppPluginList/pull/1115
diff --git a/SECURITY.md b/SECURITY.md
index 3bf344d..5145422 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,3 +20,9 @@ Include:
 - suggested mitigation if available.
 
 The maintainer aims to acknowledge valid reports within 48 hours and provide a remediation timeline after the impact is confirmed.
+
+## Supply-chain controls
+
+- Release packages include architecture ZIPs, Plugin Admin ZIPs, `SHA256SUMS.txt`, CycloneDX SBOM, and GitHub attestations.
+- GitHub Actions are pinned by immutable commit SHA.
+- Dependency Review, CodeQL, Scorecard, and actionlint run as repository quality gates.