ci(release): generate signed SBOM on each release

[dgokeeffe]

Summary

Every GitHub Release now publishes a signed CycloneDX SBOM, giving enterprise security reviewers a verifiable record of what shipped and proof that the bits came from this repo's workflow.

What's attached to each release going forward

File	What it is
coda-sbom.cdx.json	CycloneDX SBOM of every Python + npm dependency (generated by syft via anchore/sbom-action)
coda-sbom.cdx.json.cosign.bundle	Sigstore keyless signature bundle — cert + signature + Rekor inclusion proof in one self-contained file

How signing works

cosign is invoked with --yes and reads a short-lived OIDC token from GitHub Actions. There are no long-lived signing keys in this repo. The signing certificate's identity is bound to:

• Workflow path: https://github.com/databrickslabs/coding-agents-databricks-apps/.github/workflows/release.yml
• Tag ref: refs/tags/vX.Y.Z

A public transparency-log entry is recorded in Rekor for every signature.

The workflow runs cosign verify-blob against its own output before publishing — if signing or verification fails, the release is not created.

Operator verification

TAG=v1.0.0
gh release download "\$TAG" -p 'coda-sbom.cdx.json*'

cosign verify-blob \\
  --bundle coda-sbom.cdx.json.cosign.bundle \\
  --certificate-identity-regexp 'https://github.com/databrickslabs/coding-agents-databricks-apps/.+' \\
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\
  coda-sbom.cdx.json

Why enterprise reviewers care

• PCI-DSS 6.3.2 — maintain inventory of bespoke and custom software components
• ISO 27001 A.8.28 / A.8.30 — secure coding + outsourced development controls; SBOMs are the canonical evidence
• APRA CPS 234 (Australian financial services) — third-party risk: customers can diff SBOMs across CoDA versions and feed them into their own vulnerability scanners
• EO 14028 / NIST SSDF — federal/regulated buyers increasingly require SBOMs as a procurement gate

Workflow changes

• Added id-token: write permission (required for cosign OIDC keyless signing)
• Added anchore/sbom-action@9f73021… (v0.20.5, SHA-pinned) — generates cyclonedx-json
• Added sigstore/cosign-installer@d7d6e07… (v3.5.0, SHA-pinned) + cosign sign-blob
• Extended softprops/action-gh-release files: to attach both artefacts to the release

Trade-offs / what this PR is NOT

• Not a container/binary signature. CoDA ships as a source bundle deployed via DABs — there is no single Docker image or compiled binary to sign yet. The SBOM is the canonical artefact for this release shape. If we ever publish a container image, we'd add cosign sign <image-ref> alongside this.
• Doesn't replace dependency-audit.yml. That workflow catches CVEs in the running deps; this one records what was actually shipped. Both are useful — they answer different audit questions.

Test plan

• Workflow YAML parses cleanly (python -c "import yaml; yaml.safe_load(open('.github/workflows/release.yml'))" passes locally)
• On next `workflow_dispatch` of Release, verify SBOM + signature bundle appear as release assets
• Run the documented `cosign verify-blob` against the downloaded artefacts and confirm it returns success
• Confirm the in-workflow verify step also passes (it's a guard rail — if it fails the release will not publish)

This pull request and its description were written by Isaac.