fix(deps): Project-Logos Pattern B (mixed) — VC-53686

[torresashjiancyber]

Summary

This PR addresses security findings from Project Logos supply chain scan (VC-53686) by implementing cryptographic verification for release artifacts and publishing a Software Bill of Materials (SBOM).

Findings addressed

High - SC-001 (CWE-494): Installer downloads and executes release binary without checksum or signature

Solution: Created automated GitHub Actions workflow that:

• Generates SHA-256 checksums for all release artifacts
• Cryptographically signs checksums using Sigstore cosign with keyless signing (GitHub OIDC)
• Uploads checksums.txt and signature bundle to each release

Medium - SC-002 (CWE-1059): No dependency manifest or SBOM published

Solution: The workflow now:

• Generates CycloneDX 1.4 format SBOM for each release
• Publishes SBOM as release artifact
• Provides visibility into license and dependency posture

Changes

1. New workflow: .github/workflows/release-security.yml

   • Triggers on release publication
   • Downloads all release assets
   • Generates and signs checksums
   • Creates CycloneDX SBOM
   • Uploads security artifacts
   • Updates release notes with verification instructions

2. Updated documentation: .github/README.md

   • Added "Verifying Downloads" section
   • Step-by-step checksum verification instructions (Linux/macOS)
   • Signature verification guide using cosign
   • SBOM availability notice

Local verification

• No build required (documentation/release repo)
• Workflow will execute on next release publication
• Users can verify downloads using standard SHA-256 tools
• Signature verification available via cosign CLI

Next steps

After merge, the next release will automatically include:

• checksums.txt - SHA-256 hashes for all artifacts
• checksums.txt.bundle - Cosign signature bundle
• sbom.json - CycloneDX Software Bill of Materials