ci: generate SBOM and attach to GitHub Releases (OSPS-QA-02.02) (#77)

paradoxbound · claude · web-flow · commit 352eabde8fe2 · 2026-03-08T18:37:04.000Z
## Summary - Adds `anchore/sbom-action` to the `merge` job to generate an SPDX JSON SBOM for each Docker image release - SBOM is uploaded as `sbom.spdx.json` to the corresponding GitHub Release via `gh release upload` - Adds a smoke test in `pre-merge-cd-check` that validates SBOM generation against the PR image before merge - Bumps version to 2.6.1 ## Motivation Satisfies [OSPS-QA-02.02](https://baseline.openssf.org/versions/2025-02-25#osps-qa-0202): all compiled release assets must be delivered with a software bill of materials. ## How it works After the multi-arch manifest is created and verified in the `merge` job: 1. `anchore/sbom-action` scans the verified image and writes `sbom.spdx.json` (`upload-artifact: false`, `upload-release-assets: false` to suppress auto-upload) 2. `gh release upload --clobber` attaches the file to the GitHub Release after it is created In `pre-merge-cd-check`, a smoke test generates an SBOM from the PR amd64 image and confirms the file is non-empty, validating the action before it reaches the release pipeline. ## Test plan - [ ] `pre-merge-cd-check` passes — SBOM smoke test generates a non-empty `sbom-pr.spdx.json` - [ ] After merge, pipeline releases v2.6.1 with `sbom.spdx.json` attached to the GitHub Release - [ ] `gh release download v2.6.1 --pattern 'sbom.spdx.json'` succeeds 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com> Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -358,6 +358,17 @@ jobs:
         run: |
           docker buildx imagetools inspect "${{ steps.tags.outputs.semver }}"
 
+      # Generate a Software Bill of Materials (SBOM) for the released image.
+      # The SBOM is written to sbom.spdx.json and uploaded to the GitHub Release.
+      - name: Generate SBOM
+        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        with:
+          image: ${{ steps.tags.outputs.semver }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
       # Create the git tag only after the registry is confirmed healthy.
       # Idempotent: skips if the tag already exists (e.g. workflow re-run).
       - name: Create git tag
@@ -395,6 +406,10 @@ jobs:
             echo "Created GitHub Release ${GIT_TAG}"
           fi
 
+          # Upload SBOM as a release asset (--clobber is idempotent on re-runs).
+          gh release upload "${GIT_TAG}" sbom.spdx.json --clobber
+          echo "Uploaded SBOM to GitHub Release ${GIT_TAG}"
+
       # Remove the intermediate arch-suffixed staging tags from the registry.
       # These are implementation artefacts and should not be publicly visible.
       # Uses the GHCR REST API: GET versions to find the ID, then DELETE by ID.
@@ -654,6 +669,26 @@ jobs:
             --cache-dir .cache/trivy \
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64
 
+      # Smoke-test SBOM generation against the PR amd64 image.
+      # Verifies anchore/sbom-action can scan and produce a valid SPDX file
+      # before this change reaches the release pipeline.
+      - name: Smoke test SBOM generation
+        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64
+          format: spdx-json
+          output-file: sbom-pr.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Verify SBOM file was generated
+        run: |
+          if [ ! -s sbom-pr.spdx.json ]; then
+            echo "ERROR: sbom-pr.spdx.json is missing or empty"
+            exit 1
+          fi
+          echo "SBOM generated successfully ($(wc -c < sbom-pr.spdx.json) bytes)"
+
       # Create a test multi-arch manifest and confirm it is pullable.
       - name: Create and verify PR test manifest
         run: |
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.6.1] - 2026-03-08
+
+### Added
+- SBOM (Software Bill of Materials) in SPDX JSON format generated for each Docker image release and attached to the GitHub Release as `sbom.spdx.json` (#77)
+
 ## [2.6.0] - 2026-03-08
 
 ### Changed
@@ -111,7 +116,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Response enhancement: URLs, content previews, human-friendly dates, word counts
 - LibreChat and Claude Desktop integration
 
-[Unreleased]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.0...HEAD
+[Unreleased]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.1...HEAD
+[2.6.1]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.6.0...v2.6.1
 [2.6.0]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.6...v2.6.0
 [2.5.6]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.4...v2.5.6
 [2.5.4]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.3...v2.5.4
diff --git a/README.md b/README.md
@@ -341,7 +341,7 @@ Every Docker image published to GHCR has a [SLSA Level 2 provenance attestation]
 
 ```bash
 gh attestation verify \
-  oci://ghcr.io/paradoxbound/bookstack-mcp:2.6.0 \
+  oci://ghcr.io/paradoxbound/bookstack-mcp:2.6.1 \
   --owner paradoxbound
 ```
 
@@ -354,8 +354,8 @@ To verify a specific digest rather than a tag:
 
 ```bash
 # Get the digest first
-docker pull ghcr.io/paradoxbound/bookstack-mcp:2.6.0
-docker inspect ghcr.io/paradoxbound/bookstack-mcp:2.6.0 --format '{{index .RepoDigests 0}}'
+docker pull ghcr.io/paradoxbound/bookstack-mcp:2.6.1
+docker inspect ghcr.io/paradoxbound/bookstack-mcp:2.6.1 --format '{{index .RepoDigests 0}}'
 
 # Verify by digest
 gh attestation verify \
@@ -366,7 +366,15 @@ gh attestation verify \
 Source releases are signed git tags — you can verify the tag signature with:
 
 ```bash
-git tag --verify v2.6.0
+git tag --verify v2.6.1
+```
+
+### Software Bill of Materials (SBOM)
+
+Every Docker image release includes an SBOM in SPDX JSON format, attached as an asset to the [GitHub Release](https://github.com/paradoxbound/bookstack-mcp/releases). Download it from the release page:
+
+```bash
+gh release download v2.6.1 --pattern 'sbom.spdx.json'
 ```
 
 ## Contributing
diff --git a/SECURITY.md b/SECURITY.md
@@ -6,7 +6,7 @@ Only the latest release is actively maintained with security updates.
 
 | Version | Supported |
 | ------- | --------- |
-| 2.6.x   | yes       |
+| 2.6.1   | yes       |
 | < 2.6   | no        |
 
 ## Secrets and Credentials Policy
diff --git a/packages/stdio/package.json b/packages/stdio/package.json
@@ -1,6 +1,6 @@
 {
   "name": "bookstack-mcp-stdio",
-  "version": "2.6.0",
+  "version": "2.6.1",
   "description": "BookStack MCP server (stdio transport)",
   "type": "module",
   "main": "dist/index.js",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "bookstack-mcp-stdio",`
`3`		`- "version": "2.6.0",`
	`3`	`+ "version": "2.6.1",`
`4`	`4`	`"description": "BookStack MCP server (stdio transport)",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"main": "dist/index.js",`