Harden .NET supply chain with SBOMs, Trivy scan, provenance, and artifact attestation #134
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow builds, scans, and publishes .NET NuGet packages | |
| # using secure best practices: pinned actions, minimal permissions, | |
| # SBOM + hash-based supply chain attestations. | |
| name: Continuous | |
| on: | |
| push: | |
| branches: | |
| - main # Only run on pushes to main | |
| pull_request: | |
| branches: | |
| - main # Only run on PRs targeting main | |
| release: | |
| types: [created] # Run when a release is created | |
| permissions: | |
| contents: read # Allow reading repo content (needed for most steps) | |
| packages: write # Allow publishing packages to GitHub/NuGet feeds | |
| attestations: write # For GitHub's attestation API, used by attest-sbom | |
| jobs: | |
| build: | |
| name: Build & Push | |
| runs-on: ubuntu-24.04 # Use a modern, stable Ubuntu runner | |
| permissions: | |
| id-token: write # For OIDC-based provenance/attestation (Sigstore etc.) | |
| steps: | |
| # Pin every action by SHA for supply chain security! | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 # Fetch full history, so GitVersion and clean git state work | |
| # Cache Nuke temp + NuGet global packages for faster builds and repeatable environments | |
| - name: 'Cache: .nuke/temp, ~/.nuget/packages' | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: | | |
| .nuke/temp | |
| ~/.nuget/packages | |
| key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }} | |
| # Cache the Trivy vulnerability DB for much faster scanning | |
| - name: Cache Trivy DB | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: .trivy-cache | |
| key: ${{ runner.os }}-trivy-cache | |
| restore-keys: | | |
| ${{ runner.os }}-trivy-cache | |
| # Run your hardened Nuke pipeline, which does: build, test, SBOM, hash, scan, etc. | |
| - name: 'Run: Push' | |
| run: ./build.cmd Push | |
| env: | |
| FeedGitHubToken: ${{ secrets.FEED_GITHUB_TOKEN }} | |
| NuGetApiKey: ${{ secrets.NUGET_API_KEY }} | |
| # Report test coverage to Coveralls | |
| - name: Report Coveralls | |
| uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b | |
| # Upload all build artifacts (NuGet packages, hash files, etc.) for inspection or later release | |
| - name: 'Publish: Artifacts' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: Artifacts | |
| path: Artifacts | |
| # Upload the Software Bill of Materials (SBOM) for this build, to enable downstream trust/analysis | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: SBOM | |
| path: Sbom/_manifest/spdx_2.2/manifest.spdx.json | |
| # Use GitHub's attest-sbom action to cryptographically tie the SBOM to the artifacts + their checksums | |
| # (SLSA provenance proof, can be verified by downstream consumers) | |
| - name: Attest SBOM | |
| uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b | |
| with: | |
| sbom-path: Sbom/_manifest/spdx_2.2/manifest.spdx.json | |
| subject-path: | | |
| Artifacts/*.nupkg | |
| Artifacts/*.snupkg | |
| subject-checksums: Artifacts/SHA256SUMS |