ci: add CodeQL SAST, CycloneDX SBOM, and build attestations#470
Merged
ci: add CodeQL SAST, CycloneDX SBOM, and build attestations#470
Conversation
- New CodeQL workflow runs security-and-quality queries on push, PR, and weekly schedule to catch SAST issues alongside the existing Dependabot SCA coverage. - cyclonedx-maven-plugin generates a CycloneDX 1.6 SBOM (XML + JSON) for compile/runtime/provided dependencies during the package phase, attached as a build artifact so it's published to Maven Central with the JAR. - release.yml and snapshot.yml now produce GitHub build provenance and SBOM attestations (actions/attest-build-provenance, attest-sbom) so downstream consumers can verify artifacts via gh attestation verify. Release workflow also uploads the SBOM to the GitHub Release.
Contributor
📊 Benchmark ResultsTriggered by workflow run.
✅ All benchmarks passed performance thresholds. |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR adds supply-chain/security automation around the existing Maven build and release process: CodeQL code scanning, CycloneDX SBOM generation, and GitHub artifact attestations for snapshot/release artifacts.
Changes:
- Adds a new CodeQL workflow for Java on pushes, PRs, and a weekly schedule.
- Configures Maven to generate CycloneDX 1.6 SBOM files during
package. - Extends snapshot/release workflows to create attestations and publish SBOM artifacts.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
pom.xml |
Adds the CycloneDX Maven plugin and version property to generate SBOMs during packaging. |
.github/workflows/snapshot.yml |
Adds snapshot attestation steps and uploads generated SBOM files as workflow artifacts. |
.github/workflows/release.yml |
Adds release attestation steps and attempts to upload SBOM files to the GitHub Release. |
.github/workflows/codeql.yml |
Introduces a dedicated CodeQL analysis workflow for the Java codebase. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…upload - snapshot.yml: move attestation steps to after the GitHub Packages deploy. The deploy re-runs the package phase and overwrites target/, so attesting before deploy produced digests that did not match the published JARs, making the attestations unverifiable for consumers. - release.yml: replace `gh release upload` with `gh release create` since `mvn release:perform` only creates a git tag, not a GitHub Release. The previous command always fell through the `|| echo` guard and the SBOM was never attached to the release.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The library SBOM describes the main artifact's dependency graph. The previous subject-path glob also matched -sources and -javadoc JARs, which would have published an SBOM attestation claiming dependencies those artifacts do not have. Build provenance attestations still cover all three JARs since they are all genuine build outputs.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…napshot - release.yml: the GitHub Release upload runs after the irreversible Maven Central publish in `mvn release:perform`. Mark the step `continue-on-error: true` so a transient gh API error does not fail the job once Central has already accepted the version, and detect whether the release already exists so a rerun uploads with --clobber instead of erroring on `gh release create`. - snapshot.yml: switch the SBOM workflow artifact upload from `if-no-files-found: warn` to `error` so a regression in the SBOM packaging path fails the build instead of silently passing.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The Maven build steps execute repository-controlled plugin code, so granting id-token: write and attestations: write to the same job that runs `mvn` made those credentials reachable from any Maven plugin. Move attestations and the GitHub Release SBOM upload into a dedicated post-build job that only has those permissions; the build job stays read-only for OIDC. This also removes the need for `continue-on-error` on the GitHub Release upload: the Maven Central publish completes in the release job (which stays green once Central accepts the version), and a failure in the attest job is now a visibly red, rerunnable job instead of a silently green workflow with no follow-up signal. Artifacts are staged into a directory and uploaded with if-no-files-found: error so a regression in the SBOM packaging path fails the build.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…e job Agent-Logs-Url: https://github.com/jcputney/elearning-module-parser/sessions/6afe0834-5f84-4b8e-872d-75122168c551 Co-authored-by: jcputney <42720634+jcputney@users.noreply.github.com>
Copilot stopped work on behalf of
jcputney due to an error
May 6, 2026 14:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
weekly schedule to catch SAST issues alongside the existing Dependabot
SCA coverage.
compile/runtime/provided dependencies during the package phase, attached
as a build artifact so it's published to Maven Central with the JAR.
SBOM attestations (actions/attest-build-provenance, attest-sbom) so
downstream consumers can verify artifacts via gh attestation verify.
Release workflow also uploads the SBOM to the GitHub Release.