From 5ef4219422ac290f9a256f829f1ced0b99b3b571 Mon Sep 17 00:00:00 2001
From: immutable-art <138187673+immutable-art@users.noreply.github.com>
Date: Fri, 11 Oct 2024 10:26:40 +1100
Subject: [PATCH] ITSEC-2280 Add Dependency Review job; Add SBOM signing.

---
 .github/workflows/publish.yaml |  7 +++++++
 .github/workflows/test.yml     | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index a326b55c..e3dddef3 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -9,6 +9,8 @@ jobs:
   publish:
     name: Publish to NPM
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -58,6 +60,11 @@ jobs:
         run: |
           rm -rf dist && yarn build
 
+      - name: Generate SDK attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: './dist'
+  
       - name: Publish package
         uses: JS-DevTools/npm-publish@v1
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 23440ac7..cc98a486 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -92,6 +92,16 @@ jobs:
         uses: actions/checkout@v3
       - name: Run check script
         run: sh readmecheck.sh
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Checkout Repository'
+      uses: actions/checkout@v4
+    - name: Dependency Review
+      uses: actions/dependency-review-action@v4
+      with:
+        # Possible values: "critical", "high", "moderate", "low"
+        fail-on-severity: critical
   publish:
     name: Publish to NPM (dry run)
     runs-on: ubuntu-latest