chore: add CODEOWNERS and SBOM workflow for CELA compliance

imran-siddique · Copilot · web-flow · commit 56c86f41f270 · 2026-03-05T17:06:48.000-08:00
* docs: add OpenSSF badges, update OWASP to 10/10, add v1.0.0 release notes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: add CODEOWNERS and SBOM generation workflow - CODEOWNERS: @imran-siddique as default reviewer for all packages - SBOM workflow: generates SPDX + CycloneDX SBOMs on release - Uses anchore/sbom-action with pinned SHA - Attests SBOM via actions/attest-sbom for supply chain security - Uploads SBOMs as release assets - Addresses CELA release checklist gaps for supply chain compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,19 @@
+# CODEOWNERS — Default reviewers for microsoft/agent-governance-toolkit
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default owners for everything in the repo
+* @imran-siddique
+
+# Package-specific ownership
+/packages/agent-os/          @imran-siddique
+/packages/agent-mesh/        @imran-siddique
+/packages/agent-hypervisor/  @imran-siddique
+/packages/agent-sre/         @imran-siddique
+/packages/agent-compliance/  @imran-siddique
+
+# CI/CD and GitHub configuration
+/.github/                    @imran-siddique
+
+# Documentation
+/docs/                       @imran-siddique
+*.md                         @imran-siddique
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -0,0 +1,54 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+name: SBOM Generation
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
+jobs:
+  sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.18.0
+        with:
+          path: .
+          format: spdx-json
+          output-file: sbom.spdx.json
+          artifact-name: sbom-spdx
+
+      - name: Generate CycloneDX SBOM
+        uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.18.0
+        with:
+          path: .
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+          artifact-name: sbom-cyclonedx
+
+      - name: Attest SBOM
+        if: github.event_name == 'release'
+        uses: actions/attest-sbom@115c3be05ff3974bcbd0b9f9ef62b1aaad0cae2b # v2.2.0
+        with:
+          subject-path: sbom.spdx.json
+          sbom-format: spdx+json
+
+      - name: Upload SBOMs to release
+        if: github.event_name == 'release'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload "${{ github.event.release.tag_name }}" \
+            sbom.spdx.json \
+            sbom.cdx.json \
+            --clobber
