Add SBOM to releases#60
Merged
Merged
Conversation
a53e05e to
bc97335
Compare
bc97335 to
4c88449
Compare
4c88449 to
e4c9b10
Compare
Abhijeet Prasad (AbhiPrasad)
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a signed Software Bill of Materials (SBOM) alongside the package for every repository that uses the shared release actions to release.
Why this is a win
A user that installs one of our packages (deployed through these release actions), with zero extra work on our side can:
SBOM is particularly important to users who are subjected to more strigent security protocols as a part of certain certification programs (e.g. FedRAMP)
What each release now produces
How its used
npm audit signatures(JS), PyPI's provenance (Python), orgh attestation verify <artifact> --repo braintrustdata/<sdk>(Ruby).Worth knowing
sbom: falseto opt out).pnpm sbom, OWASPcyclonedx-py, and Bundler; signing uses GitHub's officialactions/attest. No third-party convenience actions.validatestep also generates the SBOM, so tooling problems surface before a release is approved.Adopting repos: the publish job needs
attestations: write(and JS needs pnpm ≥ 11.8). Canonical templates already wire this up; seeREADME.md.