jcputney · jcputney · May 6, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,49 @@
+name: OSV-Scanner
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    - cron: '17 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  # Reusable workflows are pinned to an immutable commit SHA rather
+  # than a moving tag for supply-chain hardening: tags can be
+  # retargeted upstream, but a SHA guarantees the exact workflow
+  # code that was reviewed is what runs in CI. The SHA below
+  # corresponds to google/osv-scanner-action v2.2.4. Update
+  # deliberately; Dependabot's `github-actions` ecosystem keeps
+  # SHA-pinned references current via PRs.
+  scan-scheduled:
+    if: github.event_name != 'pull_request'
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9bb69575e74019c2ad085a1860787043adf47ccb" # v2.2.4
+    with:
+      scan-args: |-
+        --recursive
+        --skip-git
+        ./
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+  scan-pr:
+    if: github.event_name == 'pull_request'
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@9bb69575e74019c2ad085a1860787043adf47ccb" # v2.2.4
+    with:
+      scan-args: |-
+        --recursive
+        --skip-git
+        ./
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -100,6 +100,7 @@ jobs:
     permissions:
       contents: write
       id-token: write
+      attestations: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -142,9 +143,77 @@ jobs:
 
           echo "Publishing version $VERSION with tag: $(grep tag= $GITHUB_OUTPUT | cut -d= -f2)"
 
-      # Publish to npm using OIDC (no token needed)
+      # Generate CycloneDX SBOM for the production dependency tree.
+      # We invoke the locally-installed binary directly (rather than
+      # `npx @cyclonedx/cyclonedx-npm`) so that a missing or moved
+      # devDependency fails the build immediately instead of silently
+      # fetching an unpinned version from the registry. Version is
+      # pinned via the devDependency in package.json so Dependabot's
+      # npm ecosystem keeps it up to date. The `overrides` block in
+      # package.json replaces cyclonedx-npm's optional libxmljs2
+      # native dep with a no-op stub since we only emit JSON; this
+      # avoids slow node-gyp builds and Node ABI/prebuild
+      # compatibility issues on CI runners.
+      - name: Generate CycloneDX SBOM
+        run: |
+          ./node_modules/.bin/cyclonedx-npm \
+            --omit dev \
+            --output-format JSON \
+            --output-file sbom.cdx.json \
+            --spec-version 1.6
+          echo "SBOM generated:"
+          ls -la sbom.cdx.json
+
+      # Pack the npm tarball that will be published. Building it
+      # explicitly here lets us attest and publish the *same* bytes
+      # rather than trusting two separate `npm publish` packs to
+      # produce identical output.
+      - name: Pack npm tarball
+        id: pack
+        run: |
+          TARBALL=$(npm pack --silent)
+          echo "tarball=$TARBALL" >> $GITHUB_OUTPUT
+          ls -la "$TARBALL"
+
+      # Attest build provenance for the npm tarball that will be
+      # published. This is the canonical artifact; it includes
+      # everything `npm pack` puts on disk (files matched by
+      # package.json "files", plus npm's automatic inclusions like
+      # package.json, README, and LICENSE).
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: ${{ steps.pack.outputs.tarball }}
+
+      # Attest the SBOM against the same tarball, so consumers can
+      # verify the SBOM corresponds to the exact npm artifact.
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v3
+        with:
+          subject-path: ${{ steps.pack.outputs.tarball }}
+          sbom-path: 'sbom.cdx.json'
+
+      # Attach the SBOM to the GitHub Release as a downloadable asset
+      - name: Upload SBOM to GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cp sbom.cdx.json "scorm-again-${{ steps.npm_tag.outputs.version }}.cdx.json"
+          gh release upload "${{ github.event.release.tag_name }}" \
+            "scorm-again-${{ steps.npm_tag.outputs.version }}.cdx.json" \
+            --clobber
+
+      # Publish to npm using OIDC (no token needed). Runs last so
+      # that the only irreversible side-effect happens after SBOM,
+      # attestations, and release-asset upload have all succeeded.
+      # Publish the pre-packed tarball so what's attested above is
+      # exactly what's published.
       - name: Publish to npm
-        run: npm publish --tag ${{ steps.npm_tag.outputs.tag }} --provenance --access public
+        run: |
+          npm publish "${{ steps.pack.outputs.tarball }}" \
+            --tag ${{ steps.npm_tag.outputs.tag }} \
+            --provenance \
+            --access public
 
       # Check if release has manual notes
       - name: Check for manual release notes