Harden .NET supply chain with SBOMs, Trivy scan, provenance, and artifact attestation #135
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow builds, scans, and publishes .NET NuGet packages | |
| # using secure best practices: pinned actions, minimal permissions, | |
| # SBOM + hash-based supply chain attestations. | |
| name: Continuous | |
| on: | |
| push: | |
| branches: | |
| - main # Only run on pushes to main | |
| pull_request: | |
| branches: | |
| - main # Only run on PRs targeting main | |
| release: | |
| types: [created] # Run when a release is created | |
| # Global defaults: Least privilege | |
| permissions: | |
| contents: read # Allow reading repo content (needed for most steps) | |
| packages: none # Don't allow package read/write unless explicitly needed | |
| attestations: none # Don't allow attestation unless explicitly needed | |
| id-token: none # Don't allow OIDC unless explicitly needed | |
| jobs: | |
| build: | |
| name: Build & Push | |
| runs-on: ubuntu-24.04 # Use a modern, stable Ubuntu runner | |
| # This job needs to publish, attest, and sign—so grant only here | |
| permissions: | |
| packages: write # Allow publishing to GitHub Packages | |
| attestations: write # For attest-sbom (SBOM attestation) | |
| id-token: write # For OIDC-based signing/provenance | |
| steps: | |
| # Pin every action by SHA for supply chain security! | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 # Fetch full history, so GitVersion and clean git state work | |
| # Cache Nuke temp + NuGet global packages for faster builds and repeatable environments | |
| - name: 'Cache: .nuke/temp, ~/.nuget/packages' | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: | | |
| .nuke/temp | |
| ~/.nuget/packages | |
| key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }} | |
| # Cache the Trivy vulnerability DB for much faster scanning | |
| - name: Cache Trivy DB | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: .trivy-cache | |
| key: ${{ runner.os }}-trivy-cache | |
| restore-keys: | | |
| ${{ runner.os }}-trivy-cache | |
| # Run your hardened Nuke pipeline, which does: build, test, SBOM, hash, scan, etc. | |
| - name: 'Run: Push' | |
| run: ./build.cmd Push | |
| env: | |
| FeedGitHubToken: ${{ secrets.FEED_GITHUB_TOKEN }} | |
| NuGetApiKey: ${{ secrets.NUGET_API_KEY }} | |
| # Report test coverage to Coveralls | |
| - name: Report Coveralls | |
| uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b | |
| # Upload all build artifacts (NuGet packages, hash files, etc.) for inspection or later release | |
| - name: 'Publish: Artifacts' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: Artifacts | |
| path: Artifacts | |
| # Upload the Software Bill of Materials (SBOM) for this build, to enable downstream trust/analysis | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: SBOM | |
| path: Sbom/_manifest/spdx_2.2/manifest.spdx.json | |
| # Use GitHub's attest-sbom action to cryptographically tie the SBOM to the artifacts + their checksums | |
| # (SLSA provenance proof, can be verified by downstream consumers) | |
| - name: Attest SBOM | |
| uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b | |
| with: | |
| sbom-path: Sbom/_manifest/spdx_2.2/manifest.spdx.json | |
| subject-path: | | |
| Artifacts/*.nupkg | |
| Artifacts/*.snupkg | |
| subject-checksums: Artifacts/SHA256SUMS |