chore: update workflows to add new sbom features

Verified workflows work with the sbom analysis
Added vulnerability report on pre-commit

Author: mobious999

.github/workflows/Attest-build-provenance.yml

@@ -0,0 +1,20 @@
+---
+name: 🔐 Attest Build Provenance
+on:
+  push:
+    tags: [v*.*.*]
+permissions:
+  id-token: write
+  contents: read
+jobs:
+  provenance:
+    name: Generate SLSA Provenance
+    runs-on: ubuntu-latest
+    steps:
+      - name: 📥 Checkout Source Code
+        uses: actions/checkout@v4
+      - name: 🧾 Generate Provenance Attestation
+        uses: slsa-framework/slsa-github-generator/actions/provenance@v1
+        with:
+          builder-id: https://github.com/${{ github.repository }}/.github/workflows/Build%20and%20Push%20Docker%20Image.yml@refs/tags/${{
+            github.ref_name }}

.github/workflows/Build and Push Docker Image.yml

@@ -1,30 +1,31 @@
 ---
-name: Build and Push Docker Image
+name: 🛠️ Build and Push Docker Image
 on:
   push:
     branches: [main]
   workflow_dispatch:
 permissions:
   contents: read
   packages: write
+  id-token: write  # ✅ Required for provenance signing
 jobs:
-  build-and-push-docker-image:
+  build-and-push:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
+      - name: 📥 Checkout Repository
         uses: actions/checkout@v4
-      - name: Set up Docker Buildx
+      - name: 🔧 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Log in to GitHub Container Registry
+      - name: 🔐 Log in to GitHub Container Registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }}
           --password-stdin
-      - name: Set up Python and install Commitizen
+      - name: 🐍 Set up Python & Install Commitizen
         uses: actions/setup-python@v5
         with:
           python-version: '3.13'
-      - name: Install Commitizen
+      - name: 📦 Install Commitizen
         run: pip install commitizen
-      - name: Extract version from Commitizen
+      - name: 🔍 Extract Version from Commitizen
         id: get_version
         run: |
           VERSION=$(cz version --project)
@@ -33,11 +34,32 @@ jobs:
             exit 1
           fi
           echo "VERSION=$VERSION" >> $GITHUB_ENV
-      - name: Build and push Docker image
-        run: |-
+          echo "🆕 Version = $VERSION"
+      - name: 🏗️ Build and Push Docker Image
+        run: |
           docker buildx build \
             --push \
             --tag ghcr.io/${{ github.repository }}:latest \
             --tag ghcr.io/${{ github.repository }}:${{ github.sha }} \
             --tag ghcr.io/${{ github.repository }}:${{ env.VERSION }} \
             .
+      - name: 📜 Generate SBOM for Docker Image
+        run: |
+          pip install syft==0.98.0
+          syft ghcr.io/${{ github.repository }}:${{ env.VERSION }} -o cyclonedx-json > sbom.image.json
+      - name: 🧾 Get Image Digest
+        run: |
+          IMAGE_DIGEST=$(syft ghcr.io/${{ github.repository }}:${{ env.VERSION }} -o json | jq -r '.artifacts[0].digest')
+          echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> $GITHUB_ENV
+      - name: 📤 Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-image
+          path: sbom.image.json
+          retention-days: 30
+      - name: 📝 Summary Report
+        run: |-
+          echo "### 🐳 Docker Image Build Summary" >> $GITHUB_STEP_SUMMARY
+          echo "- Version: ${{ env.VERSION }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Image Digest: ${{ env.IMAGE_DIGEST }}" >> $GITHUB_STEP_SUMMARY
+          echo "- SBOM file: sbom.image.json" >> $GITHUB_STEP_SUMMARY

.github/workflows/GitHub Workflow Lint.yml

@@ -6,6 +6,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # ✅ Fix for Super Linter SHA access
       - name: Super Linter
         uses: github/super-linter@v6
         env:

.github/workflows/SBOM Generator.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches: [main]
   workflow_dispatch:
-
 jobs:
   generate-sbom:
     runs-on: ubuntu-latest

.github/workflows/Sbom Attestation.yml

@@ -1,7 +1,7 @@
+---
 name: 🧪 SBOM Attestation
 on:
   workflow_dispatch:
-
 jobs:
   attest:
     runs-on: ubuntu-latest
@@ -10,4 +10,4 @@ jobs:
       - run: make sbom-py
       - run: make sbom-image
       - run: make audit
-      - run: python .hooks/check-audit-artifacts.py
+      - run: python .hooks/check-audit-artifacts.py

.github/workflows/Sbom Image Scan.yml

@@ -1,9 +1,9 @@
+---
 name: 📦 SBOM Image Scan
 on:
   workflow_dispatch:
   push:
     branches: [main]
-
 jobs:
   image-sbom:
     runs-on: ubuntu-latest
@@ -18,4 +18,4 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: sbom-image
-          path: sbom.spdx.json
+          path: sbom.spdx.json

.github/workflows/Vulnerability Audit.yml

@@ -35,4 +35,6 @@ jobs:
           path: pip-audit.json
           retention-days: 30
       - name: Show pip-audit version
-        run: pip freeze | grep pip-audit
+        run: |-
+          echo "### pip-audit version" >> $GITHUB_STEP_SUMMARY
+          pip show pip-audit || echo "⚠️ pip-audit not found via pip show" >> $GITHUB_STEP_SUMMARY

.hooks/check-audit-artifacts.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
-import sys
 import argparse
+import sys
 from pathlib import Path