Update pipeline security

Author: eNeRGy164

.github/workflows/Continuous.yml

@@ -8,32 +8,81 @@ on:
     branches:
       - main
   release:
-    types: [created]
+    types:
+      - created
+
+permissions:
+  contents: read
+  packages: none
+  id-token: none
+  attestations: none
 
 jobs:
-  ubuntu-latest:
-    name: ubuntu-latest
-    runs-on: ubuntu-latest
+  build:
+    name: Build & Push
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+
     steps:
-      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+
       - name: 'Cache: .nuke/temp, ~/.nuget/packages'
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             .nuke/temp
             ~/.nuget/packages
           key: ${{ runner.os }}-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props') }}
+
+      - name: Cache Trivy DB
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
+        with:
+          path: .trivy-cache
+          key: ${{ runner.os }}-trivy-cache
+
       - name: 'Run: Push'
         run: ./build.cmd Push
         env:
           FeedGitHubToken: ${{ secrets.FEED_GITHUB_TOKEN }}
           NuGetApiKey: ${{ secrets.NUGET_API_KEY }}
+
       - name: Report Coveralls
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
+
       - name: 'Publish: Artifacts'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: Artifacts
           path: Artifacts
+
+      # Upload the Software Bill of Materials (SBOM) for this build, to enable downstream trust/analysis
+      - name: Upload SBOM
+        if: >
+          (github.event_name == 'release') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-shared-lib')
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: SBOM
+          path: Sbom/_manifest/spdx_2.2/manifest.spdx.json
+
+      # Use GitHub's attest-sbom action to cryptographically tie the SBOM to the artifacts + their checksums
+      # (SLSA provenance proof, can be verified by downstream consumers)
+      - name: Attest SBOM
+        if: >
+          (github.event_name == 'release') ||
+          (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'dendrodocs/dotnet-shared-lib')
+        uses: actions/attest-sbom@bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b
+        with:
+          sbom-path: Sbom/_manifest/spdx_2.2/manifest.spdx.json
+          subject-path: |
+            Artifacts/*.nupkg
+            Artifacts/*.snupkg
+          subject-checksums: Artifacts/SHA256SUMS

.gitignore

@@ -263,4 +263,9 @@ paket-files/
 *.sln.iml
 pub/
 
-**/launchSettings.json
+**/launchSettings.json
+
+.trivy-cache
+.nuke/temp
+[Aa]rtifacts
+[Ss]bom

.nuke/build.schema.json

@@ -24,16 +24,21 @@
     "ExecutableTarget": {
       "type": "string",
       "enum": [
+        "Audit",
         "CalculateVersion",
         "Clean",
         "CodeCoverage",
         "Compile",
         "Pack",
+        "Proof",
         "Push",
         "PushGithub",
         "PushNuget",
         "Restore",
-        "UnitTests"
+        "SbomDeliverable",
+        "ScanSource",
+        "UnitTests",
+        "VerifyCleanGit"
       ]
     },
     "Verbosity": {

.trivyignore.yaml

@@ -0,0 +1,3 @@
+vulnerabilities:
+  - id: CVE-2025-26646
+    statement: Microsoft.Build.Tasks.Core 17.11.31 is believed to be a fixed version, incorrectly not marked as such.

README.md

@@ -36,6 +36,16 @@ dendrodocs-analyze --solution G:\DendroDocs\dotnet-shared-lib\DendroDocs.Shared.
 The output of **DendroDocs.Tool** is a comprehensive JSON file that conforms to the schema defined in the [DendroDocs Schema](https://github.com/dendrodocs/schema).
 This JSON file provides a representation of your source code, which can be used to generate various types of documentation or integrate with other tools in your development pipeline.
 
+## Security & Build Attestation
+
+This library includes build attestation through GitHub's attest-build-provenance action, providing cryptographic proof of the build process and artifact integrity. Each published package includes verifiable provenance information that demonstrates:
+
+* The exact repository and commit that built the artifacts
+* The GitHub Actions workflow that produced the packages
+* Cryptographic signatures ensuring artifact authenticity
+
+This ensures that the packages you install have not been tampered with and came from the official DendroDocs build pipeline.
+
 ## The DendroDocs Ecosystem
 
 **DendroDocs.Tool** is part of the broader DendroDocs ecosystem.