jedarden/pdftract

Fork 0

Commit graph

Author	SHA1	Message	Date
jedarden	434d5b154f	docs(pdftract-8zbd): verify CycloneDX SBOM generation implementation All acceptance criteria verified PASS: - generate-sbom template in both workflows (github-release, docker-build) - SBOM attached to GitHub Release assets - SBOM attested to Docker images via cosign attest --type cyclonedx - SBOM included in SHA256SUMS aggregate - cyclonedx-cli validate passes - grype sbom: produces interpretable vulnerability report Tested with existing 127-component SBOM; grype found 1 Low severity vulnerability (GHSA-pph8-gcv7-4qj5 in PyO3 < 0.24.1). Bead: pdftract-8zbd	2026-05-22 23:54:18 -04:00
jedarden	64bb59d76f	docs(pdftract-8zbd): add SBOM generation verification note Documents that CycloneDX SBOM generation is fully implemented in the Argo Workflows (declarative-config). The workflows: - Generate pdftract-vX.Y.Z.cdx.json using cargo-cyclonedx - Validate schema with cyclonedx-cli validate - Attest to Docker images via cosign attest --type cyclonedx - Attach to GitHub Release as an asset - Include in SHA256SUMS aggregate Acceptance criteria: 5 PASS, 1 WARN (grype test requires release) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 19:38:25 -04:00

Author

SHA1

Message

Date

jedarden

434d5b154f

docs(pdftract-8zbd): verify CycloneDX SBOM generation implementation

All acceptance criteria verified PASS:
- generate-sbom template in both workflows (github-release, docker-build)
- SBOM attached to GitHub Release assets
- SBOM attested to Docker images via cosign attest --type cyclonedx
- SBOM included in SHA256SUMS aggregate
- cyclonedx-cli validate passes
- grype sbom: produces interpretable vulnerability report

Tested with existing 127-component SBOM; grype found 1 Low severity
vulnerability (GHSA-pph8-gcv7-4qj5 in PyO3 < 0.24.1).

Bead: pdftract-8zbd

2026-05-22 23:54:18 -04:00

jedarden

64bb59d76f

docs(pdftract-8zbd): add SBOM generation verification note

Documents that CycloneDX SBOM generation is fully implemented
in the Argo Workflows (declarative-config). The workflows:
- Generate pdftract-vX.Y.Z.cdx.json using cargo-cyclonedx
- Validate schema with cyclonedx-cli validate
- Attest to Docker images via cosign attest --type cyclonedx
- Attach to GitHub Release as an asset
- Include in SHA256SUMS aggregate

Acceptance criteria: 5 PASS, 1 WARN (grype test requires release)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-20 19:38:25 -04:00

2 commits