chore(security): add SBOM artifact retention policy

### Issue Description

Part of #256

Update artifact retention configuration to include SBOM reports in the compliance tier and verify dependency pinning validation passes for the new actions.

### Implementation

1. **Update `.github/artifact-retention.yml`** — add `sbom_reports` to the compliance artifact retention tier (365 days)
2. **Update `scripts/security/tool-checksums.json`** — add entries for `anchore/sbom-action` and `actions/attest-sbom` if applicable
3. **Run `Test-DependencyPinning.ps1`** — verify the modified workflow passes SHA-pinning validation

### SHA References

| Action | Version | SHA |
|---|---|---|
| `anchore/sbom-action` | v0.22.2 | `28d71544de8eaf1b958d335707167c5f783590ad` |
| `actions/attest-sbom` | v2.4.0 | `bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b` |

### Acceptance Criteria

- [ ] `sbom_reports` added to compliance tier in `.github/artifact-retention.yml`
- [ ] `Test-DependencyPinning.ps1` passes with new actions pinned
- [ ] `tool-checksums.json` updated if applicable

### References

- [Test-DependencyPinning.ps1](https://github.com/microsoft/hve-core/blob/main/scripts/security/Test-DependencyPinning.ps1)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(security): add SBOM artifact retention policy #453

Issue Description

Implementation

SHA References

Acceptance Criteria

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Action	Version	SHA
`anchore/sbom-action`	v0.22.2	`28d71544de8eaf1b958d335707167c5f783590ad`
`actions/attest-sbom`	v2.4.0	`bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b`

chore(security): add SBOM artifact retention policy #453

Description

Issue Description

Implementation

SHA References

Acceptance Criteria

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions