From ea22b9823c13c56c949523afeee8c037ec55df48 Mon Sep 17 00:00:00 2001
From: Yuxuan Che <cheyuxuanll@gmail.com>
Date: Wed, 11 Feb 2026 14:57:37 -0800
Subject: [PATCH 1/2] chore(security): add SBOM artifact retention policy

Add sbom_reports to the compliance artifact retention tier (365 days)
in artifact-retention.yml with SHA-pinned action references for
anchore/sbom-action@v0.22.2 and actions/attest-sbom@v2.4.0.

- Add sbom_reports artifact type with 365-day retention
- Add sbom_reports to compliance required_artifacts list
- Add sbom_reports compression setting in github_actions section
- tool-checksums.json not updated (tracks binary tools, not GH Actions)

Closes #453
Part of #256
---
 .github/artifact-retention.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/artifact-retention.yml b/.github/artifact-retention.yml
index ee741524..da08e9b0 100644
--- a/.github/artifact-retention.yml
+++ b/.github/artifact-retention.yml
@@ -39,6 +39,19 @@ artifact_types:
     description: "Generated documentation, linting reports, and static analysis results"
     compression_level: 6
 
+  # SBOM reports (Software Bill of Materials)
+  sbom_reports:
+    retention_days: 365  # One year for audit and compliance requirements
+    description: "Software Bill of Materials reports generated by anchore/sbom-action and actions/attest-sbom"
+    compression_level: 9  # Maximum compression for storage efficiency
+    actions:
+      - name: "anchore/sbom-action"
+        version: "v0.22.2"
+        sha: "28d71544de8eaf1b958d335707167c5f783590ad"
+      - name: "actions/attest-sbom"
+        version: "v2.4.0"
+        sha: "bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b"
+
   # Compliance and audit artifacts
   compliance:
     retention_days: 365  # One year for audit requirements
@@ -89,6 +102,7 @@ github_actions:
   # Compression settings for different artifact types
   compression:
     security_reports: 9      # Maximum compression
+    sbom_reports: 9          # Maximum compression for compliance artifacts
     build_outputs: 6         # Balanced compression/speed
     test_results: 6          # Balanced compression/speed
     logs: 3                  # Minimal compression for quick access
@@ -126,6 +140,7 @@ compliance:
     - dependency_audit_reports
     - build_provenance_data
     - test_execution_logs
+    - sbom_reports
 
   # Data protection and privacy
   data_protection:

From a929856e8c0c5e9ff32de8078549498223fc1c21 Mon Sep 17 00:00:00 2001
From: Yuxuan Che <cheyuxuanll@gmail.com>
Date: Wed, 11 Feb 2026 22:58:08 -0800
Subject: [PATCH 2/2] chore(config): standardize action mappings in
 artifact-retention.yml

Extract the actions: sub-schema from sbom_reports into a dedicated
top-level action_mappings: section. This maps GitHub Actions to the
artifact types they produce with SHA-pinned references for traceability.

Artifact types covered:
- security_reports: codeql-action, scorecard-action, dependency-review-action
- build_artifacts: upload-artifact, attest-build-provenance
- test_results: codecov-action
- sbom_reports: sbom-action, attest-sbom

All SHAs match the pins currently used in workflow files.

Closes #483
---
 .github/artifact-retention.yml | 46 ++++++++++++++++++++++++++++------
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/.github/artifact-retention.yml b/.github/artifact-retention.yml
index da08e9b0..51b7afb4 100644
--- a/.github/artifact-retention.yml
+++ b/.github/artifact-retention.yml
@@ -44,13 +44,6 @@ artifact_types:
     retention_days: 365  # One year for audit and compliance requirements
     description: "Software Bill of Materials reports generated by anchore/sbom-action and actions/attest-sbom"
     compression_level: 9  # Maximum compression for storage efficiency
-    actions:
-      - name: "anchore/sbom-action"
-        version: "v0.22.2"
-        sha: "28d71544de8eaf1b958d335707167c5f783590ad"
-      - name: "actions/attest-sbom"
-        version: "v2.4.0"
-        sha: "bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b"
 
   # Compliance and audit artifacts
   compliance:
@@ -107,6 +100,45 @@ github_actions:
     test_results: 6          # Balanced compression/speed
     logs: 3                  # Minimal compression for quick access
 
+# Action-to-artifact mappings
+# Maps GitHub Actions to the artifact types they produce, with SHA-pinned references
+# for traceability and supply chain security validation.
+action_mappings:
+  security_reports:
+    - name: "github/codeql-action/analyze"
+      version: "v3.27.0"
+      sha: "ce729e4d353d580e6cacd6a8cf2921b72e5e310a"
+    - name: "github/codeql-action/upload-sarif"
+      version: "v3.27.0"
+      sha: "ce729e4d353d580e6cacd6a8cf2921b72e5e310a"
+    - name: "ossf/scorecard-action"
+      version: "v2.4.3"
+      sha: "4eaacf0543bb3f2c246792bd56e8cdeffafb205a"
+    - name: "actions/dependency-review-action"
+      version: "v4.3.4"
+      sha: "3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261"
+
+  build_artifacts:
+    - name: "actions/upload-artifact"
+      version: "v4.4.3"
+      sha: "b7c566a772e6b6bfb58ed0dc250532a479d7789f"
+    - name: "actions/attest-build-provenance"
+      version: "v3.2.0"
+      sha: "96278af6caaf10aea03fd8d33a09a777ca52d62f"
+
+  test_results:
+    - name: "codecov/codecov-action"
+      version: "v5.5.2"
+      sha: "671740ac38dd9b0130fbe1cec585b89eea48d3de"
+
+  sbom_reports:
+    - name: "anchore/sbom-action"
+      version: "v0.22.2"
+      sha: "28d71544de8eaf1b958d335707167c5f783590ad"
+    - name: "actions/attest-sbom"
+      version: "v2.4.0"
+      sha: "bd218ad0dbcb3e146bd073d1d9c6d78e08aa8a0b"
+
 # Storage optimization recommendations
 optimization:
   compression: