chore(security): add SBOM artifact retention policy#479
Merged
WilliamBerryiii merged 2 commits intomicrosoft:mainfrom Feb 12, 2026
Merged
chore(security): add SBOM artifact retention policy#479WilliamBerryiii merged 2 commits intomicrosoft:mainfrom
WilliamBerryiii merged 2 commits intomicrosoft:mainfrom
Conversation
Add sbom_reports to the compliance artifact retention tier (365 days) in artifact-retention.yml with SHA-pinned action references for anchore/sbom-action@v0.22.2 and actions/attest-sbom@v2.4.0. - Add sbom_reports artifact type with 365-day retention - Add sbom_reports to compliance required_artifacts list - Add sbom_reports compression setting in github_actions section - tool-checksums.json not updated (tracks binary tools, not GH Actions) Closes microsoft#453 Part of microsoft#256
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #479 +/- ##
==========================================
- Coverage 83.43% 83.40% -0.03%
==========================================
Files 20 20
Lines 3507 3507
==========================================
- Hits 2926 2925 -1
- Misses 581 582 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
3 tasks
Member
|
Nice contribution! One schema consistency callout for the team: The new Tracked in #483 for follow-up. |
Contributor
Author
|
Thanks for the review, will work on 483 |
WilliamBerryiii
approved these changes
Feb 12, 2026
bindsi
pushed a commit
that referenced
this pull request
Feb 13, 2026
…487) ## Summary Standardize the `actions:` sub-schema introduced in #479 by extracting it into a dedicated top-level `action_mappings:` section, as proposed in #483. ## Approach Chose **Option B** from #483 — extract to a separate section. This keeps artifact type definitions uniform (all follow the same retention_days/description/compression_level pattern) while providing a centralized place for action-to-artifact traceability. ## Changes ### `.github/artifact-retention.yml` - **Removed** `actions:` block from `sbom_reports` artifact type - **Added** top-level `action_mappings:` section mapping GitHub Actions to their artifact types: | Artifact Type | Actions | |--------------|---------| | `security_reports` | `github/codeql-action/analyze`, `github/codeql-action/upload-sarif`, `ossf/scorecard-action`, `actions/dependency-review-action` | | `build_artifacts` | `actions/upload-artifact`, `actions/attest-build-provenance` | | `test_results` | `codecov/codecov-action` | | `sbom_reports` | `anchore/sbom-action`, `actions/attest-sbom` | All SHAs match the pins currently used in workflow files. ## Validation - ✅ YAML lint passes - ✅ `Test-DependencyPinning.ps1` — 100% compliance - ✅ Pester tests — 47/47 passed Closes #483 Depends on #479
WilliamBerryiii
pushed a commit
that referenced
this pull request
Feb 13, 2026
🤖 I have created a release *beep* *boop* --- ## [2.3.0](hve-core-v2.2.0...hve-core-v2.3.0) (2026-02-13) ### ✨ Features * **agents:** add GitHub backlog management pipeline ([#448](#448)) ([2b4d123](2b4d123)) * **docs:** define inactivity closure policies for issues and PRs ([#452](#452)) ([5e710fd](5e710fd)) * **extension:** implement collection-based plugin distribution system ([#439](#439)) ([3156d98](3156d98)) * **instructions:** replace EVEN/ODD hardcoding with runtime milestone discovery protocol ([#486](#486)) ([ae95eb2](ae95eb2)) * **plugin:** support Copilot CLI plugin generation from collection manifests ([#496](#496)) ([e6cee85](e6cee85)) * **scripts:** enhance on-create.sh to install actionlint and PowerShell modules ([#500](#500)) ([67585f5](67585f5)) ### 🐛 Bug Fixes * **docs:** replace broken relative link with inline code reference ([#465](#465)) ([8133b36](8133b36)) * **instructions:** prevent local-only paths from leaking into GitHub issues ([#489](#489)) ([497d2fe](497d2fe)) * **workflows:** prevent release-please infinite loop on main branch ([#470](#470)) ([134bdd6](134bdd6)) * **workflows:** remove release-please skip guard that prevents tag creation ([#511](#511)) ([5e53271](5e53271)) ### 📚 Documentation * **agents:** add GitHub Backlog Manager documentation and agent catalog ([#503](#503)) ([5e818ce](5e818ce)) * align CONTRIBUTING.md with docs/contributing/ guides ([#445](#445)) ([73ef6aa](73ef6aa)) ### ♻️ Refactoring * **scripts:** refactor dev-tools and lib scripts to use CIHelpers module ([#482](#482)) ([fdf9145](fdf9145)) * **scripts:** standardize PowerShell entry point guard pattern ([#477](#477)) ([6b84a8e](6b84a8e)) ### 🔧 Maintenance * **config:** standardize action mappings in artifact-retention.yml ([#487](#487)) ([7927db2](7927db2)) * **deps-dev:** bump cspell from 9.6.2 to 9.6.4 in the npm-dependencies group ([#461](#461)) ([c788095](c788095)) * **deps:** bump actions/setup-python from 5.1.1 to 6.2.0 in the github-actions group ([#462](#462)) ([69ef3c9](69ef3c9)) * **security:** add SBOM artifact retention policy ([#479](#479)) ([8031557](8031557)), closes [#453](#453) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
sbom_reportsto the compliance artifact retention tier (365 days) per #453 (part of #256).Changes
.github/artifact-retention.ymlsbom_reportsartifact type underartifact_typeswith:anchore/sbom-action@v0.22.2andactions/attest-sbom@v2.4.0sbom_reportstocompliance.required_artifactslistsbom_reportscompression entry ingithub_actions.compressionscripts/security/tool-checksums.jsonTest-DependencyPinning.ps1via workflow file scanning, not via this manifest.Acceptance Criteria
sbom_reportsadded to compliance tier in.github/artifact-retention.ymlTest-DependencyPinning.ps1— no new workflow files reference the SBOM actions yet, so pinning validation is not applicable until workflows are addedtool-checksums.json— not applicable (binary tools only)SHA References
anchore/sbom-action28d71544de8eaf1b958d335707167c5f783590adactions/attest-sbombd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0bCloses #453