Summary

Process:

1. Checks out the exact release tag
2. Installs dependencies to build complete dependency tree
3. Generates CycloneDX SBOM for the entire source codebase
4. Creates GitHub attestations for build provenance and SBOM verification
5. Signs SBOM using Cosign keyless signing with GitHub OIDC
6. Attaches all security artifacts to the release

New release assets:

• sbom-source.cdx.json - Complete dependency inventory (JSON format)
• sbom-source.cdx.sig - Cryptographic signature of the SBOM
• sbom-source.cdx.pem - Certificate for signature verification

GitHub attestations:

• Build provenance - Cryptographic proof of how the release was built
• SBOM attestation - Links the dependency inventory to the release

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CAT-1126/include-a-signed-sbom-software-bill-of-materials-with-every-release-of

Review / Merge checklist

• PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
• Docs updated or follow-up ticket created.
• Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)