Pin base image digest, add OCI labels, verification docs, dependabot, CI tests, and release workflow

- Pin debian:bookworm-slim to specific digest for reproducible builds
- Add OCI labels (source, description, licenses, vendor, title, url)
- Add image verification section to README
- Add dependabot for GitHub Actions and Docker base image updates
- Add CI workflow to build all example Dockerfiles on PRs
- Add release workflow to auto-generate release notes on tags

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: DrewDennison

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/release.yml

@@ -0,0 +1,22 @@
+name: Create Release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Create release
+        run: gh release create "${{ github.ref_name }}" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-examples.yml

@@ -0,0 +1,44 @@
+name: Test Examples
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  build-examples:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        example:
+          - examples/lockfiles/npm
+          - examples/lockfiles/maven
+          - examples/lockfiles/poetry
+          - examples/lockfiles/uv
+          - examples/lockfiles/pip
+          - examples/lockfiles/gradle
+          - examples/lockfiles/bazel
+          - examples/sbom/npm
+          - examples/sbom/maven
+          - examples/sbom/poetry
+          - examples/sbom/uv
+          - examples/sbom/pip
+          - examples/sbom/gradle
+          - examples/sbom/bazel
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build ${{ matrix.example }}
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.example }}
+          platforms: linux/amd64,linux/arm64
+          push: false

Dockerfile

@@ -1,4 +1,11 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:98f4b71de414932439ac6ac690d7060df1f27161073c5036a7553723881bffbe
+
+LABEL org.opencontainers.image.source="https://github.com/semgrep/supply-chain-base-image"
+LABEL org.opencontainers.image.description="Base Docker image for generating lockfiles and SBOMs from source code"
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL org.opencontainers.image.vendor="Semgrep"
+LABEL org.opencontainers.image.title="Supply Chain Base Image"
+LABEL org.opencontainers.image.url="https://github.com/semgrep/supply-chain-base-image"
 
 ENV SEMGREP_WORKSPACE=/semgrep/workspace
 ENV SEMGREP_OUTPUT=/semgrep/outputs

README.md

@@ -113,6 +113,31 @@ COPY my-script.sh /usr/local/bin/
 CMD ["my-script.sh"]
 ```
 
+## Verifying the Image
+
+Every image we publish is signed and includes [SLSA v1.0 Build L3](https://slsa.dev/) provenance and an embedded SBOM. You can verify that the image you pulled was built by our CI pipeline and hasn't been tampered with.
+
+### Verify build provenance
+
+Requires the [GitHub CLI](https://cli.github.com/):
+
+```bash
+gh attestation verify oci://ghcr.io/semgrep/supply-chain-base-image:main \
+  -R semgrep/supply-chain-base-image
+```
+
+### Inspect the embedded SBOM and provenance
+
+```bash
+# View provenance
+docker buildx imagetools inspect ghcr.io/semgrep/supply-chain-base-image:main \
+  --format '{{ json .Provenance }}'
+
+# View SBOM
+docker buildx imagetools inspect ghcr.io/semgrep/supply-chain-base-image:main \
+  --format '{{ json .SBOM }}'
+```
+
 ## Building the Base Image Locally
 
 If you want to build the base image yourself instead of pulling from the registry: