chore: supply chain security (attestation, SBOM, Renovate)

[27Bslash6]

Summary

• Add SLSA L3 build provenance attestation to release workflow
• Add CycloneDX SBOM generation and attestation to release workflow
• Migrate from Dependabot to Renovate (org-wide preset)
• Add weekly attestation health check workflow

Changes

• release.yml: Reorder to cargo package → attest → SBOM → publish. Add id-token: write + attestations: write permissions. SHA-pin all actions.
• dependabot.yml: Deleted (replaced by Renovate)
• renovate.json: Added (extends github>cachekit-io/renovate-config)
• attestation-check.yml: New weekly cron to verify attestations exist

Test plan

• Release workflow passes CI
• gh attestation verify succeeds after next release
• Renovate creates Dependency Dashboard issue

Summary by CodeRabbit

• Chores
  • Updated dependency management and CI/CD infrastructure
  • Release artifacts now include cryptographic build provenance attestations and software bill of materials (SBOM) for enhanced supply chain security verification
  • Automated health checks added to monitor release attestation integrity

[coderabbitai]

Warning

Rate limit exceeded

@27Bslash6 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 16 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 15 minutes and 16 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e473ded2-eec2-46b7-94d3-55696102a383

📥 Commits

Reviewing files that changed from the base of the PR and between 77db455 and 500f1db.

📒 Files selected for processing (6)

• .github/workflows/attestation-check.yml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/release.yml
• .github/workflows/security.yml
• deny.toml

📝 Walkthrough

Walkthrough

The changes replace Dependabot with Renovate for dependency automation, introduce a new weekly attestation health check workflow, and enhance the release workflow with cryptographic provenance attestation and Software Bill of Materials (SBOM) generation. A new Renovate configuration file delegates settings to a shared preset while the Dependabot configuration is removed.

Changes

Cohort / File(s)	Summary
Dependency Management Configuration .github/dependabot.yml, renovate.json	Removed Dependabot configuration for Rust and GitHub Actions updates; added Renovate configuration delegating to shared preset github>cachekit-io/renovate-config.
CI/CD Workflows .github/workflows/attestation-check.yml, .github/workflows/release.yml	Added new weekly attestation health check workflow to verify release provenance via gh attestation list; enhanced release workflow with pinned GitHub Actions SHAs, explicit permissions for attestation operations, and new steps for provenance/SBOM generation using cargo-sbom and cargo sbom.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub (Scheduled)
    participant GH as GitHub CLI
    participant Attestations as Attestation Service
    participant Issues as GitHub Issues

    GitHub->>GH: Trigger workflow (weekly)
    GH->>GH: Run 'gh release list'
    alt Releases found
        GH->>Attestations: Run 'gh attestation list --limit 1'
        alt Attestation found
            Attestations-->>GH: Return attestation data
            GH-->>GitHub: Job succeeds
        else No attestation found
            Attestations-->>GH: No results
            GH-->>GitHub: Job fails
            GitHub->>Issues: Create issue with 'bug' label
        end
    else No releases found
        GH-->>GitHub: Skip verification (no output)
    end

Loading

sequenceDiagram
    participant GitHub as GitHub (Release Trigger)
    participant Cargo as Cargo Package Manager
    participant SBOMGen as SBOM Generator
    participant AttestSvc as Attestation Service
    participant Registry as Crate Registry

    GitHub->>Cargo: Run 'cargo package'
    Cargo-->>GitHub: Package created
    
    GitHub->>Cargo: Run 'cargo sbom'
    Cargo->>SBOMGen: Generate SBOM
    SBOMGen-->>Cargo: Return sbom.cdx.json
    Cargo-->>GitHub: SBOM saved
    
    GitHub->>AttestSvc: Attest provenance
    AttestSvc-->>GitHub: Provenance attestation created
    
    GitHub->>AttestSvc: Attest SBOM
    AttestSvc-->>GitHub: SBOM attestation created
    
    GitHub->>Registry: Run 'cargo publish'
    Registry-->>GitHub: Crate published
    
    GitHub-->>GitHub: Workflow complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Dependencies now dance with Renovate's care,
Attestations weekly check the air,
Provenance signed, SBOM in sight—
Build security shines so bright!
Hop-hop, the pipeline hops with might! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: supply chain security (attestation, SBOM, Renovate)' directly and comprehensively summarizes all main changes: adding attestation and SBOM generation, migrating to Renovate, and implementing a health-check workflow for supply chain security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/supply-chain-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

53-72: continue-on-error: true on all attestation steps makes supply chain guarantees best-effort.

All four attestation-related steps silently swallow failures, meaning releases can be published without any attestations. Combined with the weak verification in attestation-check.yml (which only checks if any attestation exists, not that both provenance and SBOM exist for the specific release), this could lead to undetected attestation gaps.

Consider either:

1. Removing continue-on-error to fail the release if attestations cannot be generated, or
2. At minimum, capturing the outcome of each step and logging a warning summary before publish so failures are visible in the workflow run.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 53 - 72, The attestation steps
("Attest Build Provenance", "Install cargo-sbom", "Generate SBOM", "Attest
SBOM") currently use continue-on-error: true which allows releases to proceed
with missing attestations; either remove the continue-on-error lines for those
steps so the job fails on attestation errors, or (if you must tolerate failures)
change each step to always run and emit a step output capturing success/failure
(e.g., in the step's run use exit-handling and echo
"attest_provenance_status=failed" >> $GITHUB_OUTPUT or "success" on success),
then add a final "Verify Attestations" step that reads those outputs and either
fails the job if any required attestation is missing or logs a clear warning
summary before publish; update step names "Attest Build Provenance", "Generate
SBOM", and "Attest SBOM" accordingly.

---

63-65: SBOM generation may produce an invalid file that gets attested.

If cargo sbom fails (or the format flag is incorrect), the shell redirection still creates sbom.cdx.json (empty or truncated). With continue-on-error: true, the step succeeds silently and the subsequent attest-sbom step attests an invalid SBOM.

Additionally, the format flag --output-format cyclonedx_json_v1_6 appears incorrect according to cargo-sbom documentation, which specifies cyclone_dx_json_1_6 as the correct value. Verify the format syntax is supported by the installed version.

Ensure the SBOM file is valid before attestation:

🛡️ Proposed fix

      - name: Generate SBOM
-       run: cargo sbom --output-format cyclonedx_json_v1_6 > sbom.cdx.json
+       run: |
+         cargo sbom --output-format cyclone_dx_json_1_6 > sbom.cdx.json
+         test -s sbom.cdx.json || exit 1
        continue-on-error: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 63 - 65, The "Generate SBOM" step
currently silences failures and may produce an empty/invalid sbom.cdx.json;
update the step to (1) use the correct format token (change cyclonedx_json_v1_6
to cyclone_dx_json_1_6 or the exact supported flag for the installed
cargo-sbom), (2) remove continue-on-error so the job fails on non-zero exit, and
(3) validate the output before proceeding by checking sbom.cdx.json is non-empty
and valid JSON (e.g., fail if file size is zero or JSON parse fails) so the
subsequent attest-sbom step cannot attest an invalid file; locate the step by
the name "Generate SBOM" and the command string "cargo sbom --output-format
cyclonedx_json_v1_6 > sbom.cdx.json".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/attestation-check.yml:
- Around line 30-39: Replace the loose repository-level attestation check in the
"Verify attestations" step (currently using `gh attestation list --limit 1`)
with targeted verification against the release tag from
`steps.release.outputs.tag`: call `gh attestation verify` (or `gh attestation
list` scoped with `--subject`/`--predicate` if needed) to ensure attestations
apply to the specific release artifact(s) (e.g., the release artifact pattern
like "*.crate" or the exact release asset name) and assert that both provenance
and SBOM predicate types are present; fail the step if verification for the tag
and required predicate types (provenance, sbom) does not succeed.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 53-72: The attestation steps ("Attest Build Provenance", "Install
cargo-sbom", "Generate SBOM", "Attest SBOM") currently use continue-on-error:
true which allows releases to proceed with missing attestations; either remove
the continue-on-error lines for those steps so the job fails on attestation
errors, or (if you must tolerate failures) change each step to always run and
emit a step output capturing success/failure (e.g., in the step's run use
exit-handling and echo "attest_provenance_status=failed" >> $GITHUB_OUTPUT or
"success" on success), then add a final "Verify Attestations" step that reads
those outputs and either fails the job if any required attestation is missing or
logs a clear warning summary before publish; update step names "Attest Build
Provenance", "Generate SBOM", and "Attest SBOM" accordingly.
- Around line 63-65: The "Generate SBOM" step currently silences failures and
may produce an empty/invalid sbom.cdx.json; update the step to (1) use the
correct format token (change cyclonedx_json_v1_6 to cyclone_dx_json_1_6 or the
exact supported flag for the installed cargo-sbom), (2) remove continue-on-error
so the job fails on non-zero exit, and (3) validate the output before proceeding
by checking sbom.cdx.json is non-empty and valid JSON (e.g., fail if file size
is zero or JSON parse fails) so the subsequent attest-sbom step cannot attest an
invalid file; locate the step by the name "Generate SBOM" and the command string
"cargo sbom --output-format cyclonedx_json_v1_6 > sbom.cdx.json".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2a30d3b3-1b2d-4df8-9cb7-5603d7d2078c

📥 Commits

Reviewing files that changed from the base of the PR and between b0ce342 and 77db455.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/attestation-check.yml
• .github/workflows/release.yml
• renovate.json

💤 Files with no reviewable changes (1)

• .github/dependabot.yml