feat(workflows): add SBOM generation, attestation, and diff tooling to release pipeline

[WilliamBerryiii]

Description

This PR introduced comprehensive Software Bill of Materials (SBOM) support into the release pipeline, covering dependency scanning, per-VSIX artifact scanning, Sigstore-backed attestation, and release-over-release dependency diffing. A shared Syft configuration file centralized scanner settings across all SBOM jobs.

Release Pipeline SBOM and Attestation

The core of this change added three new stages to the release job graph in .github/workflows/main.yml.

A dedicated generate-dependency-sbom job produced a repository-wide dependencies.spdx.json in SPDX 2.3 JSON format, using a sparse checkout of dependency manifests and the shared .syft.yaml config. This job also enabled GitHub's dependency snapshot integration and uploaded the SBOM directly to the GitHub Release.

The existing attest-and-upload job was restructured to generate per-VSIX SBOMs via anchore/sbom-action, then attest both the VSIX-specific and dependency SBOMs using actions/attest-sbom@v3.0.0 with Sigstore. The VSIX filename resolution was refactored from an inline find | head pattern into deterministic step outputs, simplifying the upload command and removing a potential race condition. Both the VSIX and its companion SBOM JSON are now uploaded in a single gh release upload call.

Dependency Diff Tooling

A new sbom-diff job compared the current dependency SBOM against the previous release's SBOM using an inline Python script. The script parsed both SPDX JSON files, filtered out root-level document descriptors, and computed added, removed, and version-changed package sets. Output was written as a markdown report (dependency-diff.md) and uploaded to the release. The job used continue-on-error: true so diff failures did not block the release, and it handled missing previous releases or missing prior SBOMs gracefully.

Syft Configuration

A new root-level .syft.yaml file centralized Syft scanner settings: include-dev-dependencies, search-remote-licenses against the npm registry, and the registry base URL. Both SBOM-generating jobs sparse-checkout this file for consistent configuration.

Dependency Version Alignment

The actions/attest-sbom pinned version in .github/artifact-retention.yml was updated from v2.4.0 to v3.0.0, aligning the tracked version with the SHA used in the workflow.

Related Issue(s)

Closes #455
Closes #256

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

Testing

Automated validation performed:

• actionlint — Passed (workflow syntax validation)
• SHA consistency check — Passed (83 pinned actions, 0 mismatches across .github/artifact-retention.yml and workflow files)
• Diff-based security analysis — No sensitive data exposure, no privilege escalation, no unintended changes detected
• Conventional commits compliance — Both commits follow feat(workflows): format

Manual testing:

• Manual testing was not performed. The workflow changes are gated behind release_created == 'true' and will execute on the next tagged release.

Checklist

Required Checks

• Documentation is updated (if applicable) (N/A — no documentation changes required for workflow-only additions)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable) (N/A — GitHub Actions workflow jobs validated via actionlint; no unit-testable code added)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check (7 pre-existing issues in unrelated files)
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

Additional Notes

• All third-party actions use pinned commit SHAs with version comments, consistent with the repository's dependency-pinning policy.
• The dependency SBOM is generated once and consumed by two downstream jobs via artifact download, avoiding duplication.
• The sbom-diff job treats the dependency diff as informational (continue-on-error: true) rather than a release gate.
• The inline Python diff script in the sbom-diff job filters out root-level SPDX document descriptors to compare only actual dependency packages.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/attest-sbom	4651f806c01d8637787e274ac3bdf724ef169f34	Unknown	Unknown
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 6.2	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/anchore/sbom-action	28d71544de8eaf1b958d335707167c5f783590ad	🟢 7.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/main.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.59%. Comparing base (8cb62a7) to head (a454da3).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #730      +/-   ##
==========================================
+ Coverage   84.11%   86.59%   +2.48%     
==========================================
  Files          24       25       +1     
  Lines        4727     4893     +166     
==========================================
+ Hits         3976     4237     +261     
+ Misses        751      656      -95     

Flag	Coverage Δ
pester	86.59% <ø> (+2.48%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.