Add cargo audit CI job and SBOM generation to release workflow

- New security job in CI runs cargo audit on every push/PR
- Release workflow generates SPDX SBOM via anchore/sbom-action and
  uploads it as a release asset

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: haasonsaas

.github/workflows/ci.yml

@@ -28,6 +28,17 @@ jobs:
       - name: Clippy
         run: cargo clippy -- -D warnings
 
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit dependencies
+        run: cargo audit
+
   test:
     runs-on: ${{ matrix.os }}
     strategy:

.github/workflows/release.yml

@@ -248,4 +248,16 @@ jobs:
       - name: Sign image (keyless)
         env:
           IMAGE_REF: ghcr.io/haasonsaas/diffscope@${{ steps.build-and-push.outputs.digest }}
-        run: cosign sign --yes "${IMAGE_REF}"
+        run: cosign sign --yes "${IMAGE_REF}"
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/haasonsaas/diffscope@${{ steps.build-and-push.outputs.digest }}
+          format: spdx-json
+          output-file: sbom-diffscope.spdx.json
+
+      - name: Upload SBOM to release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload ${{ github.ref_name }} sbom-diffscope.spdx.json --clobber || true