SBOM plan

[vadimpiven]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing supply chain security and transparency by updating development tool versions and introducing a comprehensive plan for Software Bill of Materials (SBOM) attestation. The changes streamline tool dependency management and lay the groundwork for generating and distributing signed CycloneDX SBOMs for native addon binaries, enabling better auditing and vulnerability response for consumers.

Highlights

• Tool Version Update: The .mise-version file has been updated to v2026.3.5, indicating an upgrade in the project's dependency management tool version.
• Structured Tool Definitions in mise.lock: The mise.lock file has been significantly refactored to use a more structured format for defining various tools (e.g., ripgrep, trivy, uv, cli, yq, node). Platform-specific details are now nested under [tools.<tool_name>."platforms.<platform_name>"] tables, improving readability and maintainability. Additionally, provenance = "cosign" has been added to several aquasecurity/trivy and google/yamlfmt platform entries.
• New SBOM Attestation Plan: A new detailed plan, plans/06-sbom-attestation.md, has been added to outline the process for attaching signed CycloneDX SBOMs to native addon binaries published to GitHub Releases. This plan covers installing cargo-cyclonedx, generating SBOMs in the build-packages job, attesting and uploading SBOMs, renaming files, adding smoke test verification, and creating a local mise task for SBOM generation.

Changelog

• .mise-version
  • Updated the mise tool version from v2026.2.23 to v2026.3.5.
• mise.lock
  • Refactored tool dependency definitions to use nested platform-specific tables for improved structure.
  • Added provenance = "cosign" metadata to platform entries for aquasecurity/trivy and google/yamlfmt.
• plans/06-sbom-attestation.md
  • Added a new document detailing a plan for SBOM attestation for native addon binaries.
  • Outlined steps for installing cargo-cyclonedx via mise.
  • Described the process for generating SBOMs once in the build-packages job to avoid redundancy.
  • Included instructions for attesting SBOMs using actions/attest-sbom and uploading them to GitHub Releases.
  • Specified a naming convention for SBOM files (.cdx.json) to include version information.
  • Proposed adding smoke test verification for SBOM download and attestation.
  • Defined a local mise task for developers to generate SBOMs.
  • Suggested updating the packages/node/README.md with information about the new SBOM feature.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

This PR adds a CycloneDX SBOM attestation plan for the native .node binary and bumps mise from v2026.2.23 to v2026.3.5 with lockfile updates.

The mise version bump is safe. However, the SBOM plan has two blocking logic issues that must be resolved before implementation:

1. Attestation subject / consumer mismatch: The SBOM is attested against package.tar.gz, but the consumer scenario instructs verification against the extracted .node binary. These files have different digests, so gh attestation verify will always fail for users following the consumer documentation.

2. cargo-cyclonedx Linux configuration gap: The mise.toml snippet restricts installation to macOS only (os = ["macos"]), but SBOM generation must run on the ubuntu-latest GitHub Actions runner. The tool will not be installed on Linux, causing CI to fail.

Additionally, the plan deviates from the project's .cursorrules structure requirements (missing Solution, Tables, and File Structure sections) and contains substantial explanatory prose that the rules ask to minimize.

Confidence Score: 2/5

• Not safe to implement as-is — two blocking logic issues must be resolved first.
• The mise version bump is safe, but the SBOM plan has two critical blocking issues: (1) the consumer verify command targets the wrong artifact, making it fail for users; (2) the tool is only configured for macOS while it must run on Linux, breaking CI. The plan also deviates from .cursorrules structure requirements. These issues must be resolved before implementation proceeds.
• plans/06-sbom-attestation.md

Comments Outside Diff (1)

1. plans/06-sbom-attestation.md, line 1-314 (link)

   Plan structure deviates from .cursorrules requirements

   The .cursorrules specifies that plans must follow this structure:

   1. Problem/Purpose — One-liner or brief description
   2. Solution — Technical approach (1-2 sentences max)
   3. Architecture — ASCII diagram if helpful
   4. Implementation — Code blocks with minimal inline comments
   5. Tables — For version sources, cache locations, build times, etc.
   6. File Structure — Tree showing files created/modified

   The current plan is missing:

   • Solution section (technical approach in 1-2 sentences)
   • Tables section (e.g., file manifest, version sources)
   • File Structure section (tree of modified/created files)

   Additionally, the rules explicitly ask to avoid explanatory prose ("Key insight:", "Why X?", verbose justifications). Sections like "Trust model" (lines 48–59), "Scope" (lines 22–32), "Format: CycloneDX 1.5" (lines 34–46), and "Consumer scenarios" (lines 273–304) contain explanatory text that should be condensed or moved to implementation code comments.

   After the two blocking logic issues are resolved, restructure the plan to match the .cursorrules format.

   Rule Used: .cursorrules (source)

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: plans/06-sbom-attestation.md
   Line: 1-314
   
   Comment:
   **Plan structure deviates from `.cursorrules` requirements**
   
   The `.cursorrules` specifies that plans must follow this structure:
   
   1. **Problem/Purpose** — One-liner or brief description
   2. **Solution** — Technical approach (1-2 sentences max)
   3. **Architecture** — ASCII diagram if helpful
   4. **Implementation** — Code blocks with minimal inline comments
   5. **Tables** — For version sources, cache locations, build times, etc.
   6. **File Structure** — Tree showing files created/modified
   
   The current plan is missing:
   - **Solution** section (technical approach in 1-2 sentences)
   - **Tables** section (e.g., file manifest, version sources)
   - **File Structure** section (tree of modified/created files)
   
   Additionally, the rules explicitly ask to avoid explanatory prose ("Key insight:", "Why X?", verbose justifications). Sections like "Trust model" (lines 48–59), "Scope" (lines 22–32), "Format: CycloneDX 1.5" (lines 34–46), and "Consumer scenarios" (lines 273–304) contain explanatory text that should be condensed or moved to implementation code comments.
   
   After the two blocking logic issues are resolved, restructure the plan to match the `.cursorrules` format.
   
   **Rule Used:** .cursorrules ([source](https://app.greptile.com/review/custom-context?memory=6fbb3da6-d9f7-45a9-90ca-0f3acb361976))
   
   How can I resolve this? If you propose a fix, please make it concise.

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

_{Last reviewed commit: f3a8e39}

[greptile-apps]

Attestation subject / consumer verify mismatch

The SBOM is attested against packages/node/package.tar.gz (the npm tarball), but the consumer scenario on line 281 instructs users to verify against node_modules/node-reqwest/dist/node_reqwest.node (the extracted binary). gh attestation verify works by hashing the file you provide and looking up that exact digest. Since package.tar.gz and node_reqwest.node have different SHA-256 digests, verification will always fail for consumers.

Either the attestation subject must be changed to the .node binary (if extractable at build-packages stage), or consumer documentation must instruct verification against the tarball:

Suggested change

	uses: "actions/attest-sbom@10926c72720ffc3f7b666661c8e55b1344e2a365" # v2.4.0
	with:
	subject-path: "packages/node/package.tar.gz"
	sbom-path: "packages/node/bom.json"
	```
	gh attestation verify \
	package.tar.gz \
	--owner vadimpiven \
	--format json \
	--predicate-type https://cyclonedx.org/bom

The smoke test on line 220 also calls gh attestation verify on package.tar.gz, which is consistent with the attestation — but this creates a gap between what consumers should actually do (as documented on line 281) and what the attestation can verify.

Prompt To Fix With AI

This is a comment left during a code review.
Path: plans/06-sbom-attestation.md
Line: 159-163

Comment:
**Attestation subject / consumer verify mismatch**

The SBOM is attested against `packages/node/package.tar.gz` (the npm tarball), but the consumer scenario on line 281 instructs users to verify against `node_modules/node-reqwest/dist/node_reqwest.node` (the extracted binary). `gh attestation verify` works by hashing the file you provide and looking up that exact digest. Since `package.tar.gz` and `node_reqwest.node` have different SHA-256 digests, verification will always fail for consumers.

Either the attestation subject must be changed to the `.node` binary (if extractable at `build-packages` stage), or consumer documentation must instruct verification against the tarball:

```suggestion
gh attestation verify \
  package.tar.gz \
  --owner vadimpiven \
  --format json \
  --predicate-type https://cyclonedx.org/bom
```

The smoke test on line 220 also calls `gh attestation verify` on `package.tar.gz`, which is consistent with the attestation — but this creates a gap between what consumers should actually do (as documented on line 281) and what the attestation can verify.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Critical: cargo-cyclonedx not configured for Linux

The mise.toml snippet restricts installation to os = ["macos"], but the SBOM generation step runs on ubuntu-latest (native runner, not Docker) at line 98. With only macOS in the os list, mise will not install cargo-cyclonedx on the Linux runner, and the CI step will fail with "command not found".

The Remaining TODOs section acknowledges this gap, but it is blocking — the plan cannot be implemented as written. Before implementation, either:

1. Add linux to the os list with appropriate platform selectors (e.g., x86_64-unknown-linux-gnu or musl), or
2. Replace the mise-based installation with a fallback like cargo binstall on the Linux runner

Verify which approach is correct and update the mise.toml snippet accordingly.

Prompt To Fix With AI

This is a comment left during a code review.
Path: plans/06-sbom-attestation.md
Line: 71-78

Comment:
**Critical: `cargo-cyclonedx` not configured for Linux**

The `mise.toml` snippet restricts installation to `os = ["macos"]`, but the SBOM generation step runs on `ubuntu-latest` (native runner, not Docker) at line 98. With only macOS in the `os` list, mise will not install `cargo-cyclonedx` on the Linux runner, and the CI step will fail with "command not found".

The Remaining TODOs section acknowledges this gap, but it is blocking — the plan cannot be implemented as written. Before implementation, either:

1. Add `linux` to the `os` list with appropriate platform selectors (e.g., `x86_64-unknown-linux-gnu` or musl), or
2. Replace the mise-based installation with a fallback like `cargo binstall` on the Linux runner

Verify which approach is correct and update the `mise.toml` snippet accordingly.

How can I resolve this? If you propose a fix, please make it concise.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive plan for generating and attesting Software Bill of Materials (SBOMs) for the native addon binaries, a significant enhancement for supply chain security. The plan is well-structured and detailed. My review includes suggestions to refine the plan, focusing on the configuration for cargo-cyclonedx, clarifying the subject of the SBOM attestation to ensure it aligns with consumer needs, and improving the validation step in the local mise task for better developer experience.

[gemini-code-assist]

The plan suggests creating an SBOM attestation with subject-path: "packages/node/package.tar.gz". This binds the SBOM to the npm package tarball, which primarily contains JavaScript wrapper code.

However, the SBOM describes the Rust dependencies compiled into the .node binary, which is downloaded separately during postinstall. The goal of SBOM attestation is to provide transparency into the binary's contents. Therefore, the attestation subject should be the .node binary itself.

Since there are multiple binaries for different platforms, you should consider creating attestations for each of them. The actions/attest action supports multiple subjects. The build-packages job would need to download the .node artifacts from the build-addon matrix job to use them as subjects.

This also contradicts the consumer scenario described later in the plan (lines 281-286), which correctly shows a user verifying the attestation against the .node file.

[gemini-code-assist]

The proposed mise.toml configuration for cargo-cyclonedx only specifies os = ["macos"]. However, the plan states that the SBOM generation will happen in the build-packages job, which runs on ubuntu-latest. This configuration will prevent cargo-cyclonedx from being installed on the Linux runner.

The plan should be updated to include a configuration for Linux. Since a x86_64-unknown-linux-musl binary is available for cargo-cyclonedx, you could update the configuration like this:

[tools."github:CycloneDX/cyclonedx-rust-cargo"]
version_prefix = "cargo-cyclonedx-"
version = "0.5.7"
os = ["linux", "macos"]
[tools."github:CycloneDX/cyclonedx-rust-cargo".platforms]
linux-x64 = { asset_pattern = "*-x86_64-unknown-linux-musl*" }
macos-x64 = { asset_pattern = "*-x86_64-apple-darwin*" }
macos-arm64 = { asset_pattern = "*-aarch64-apple-darwin*" }

This will ensure the tool is available on all necessary developer and CI platforms.

[gemini-code-assist]

The validation step in the proposed mise task, jq -e '.components | length' packages/node/bom.json, will only print the number of components and will not fail the task if the SBOM is empty or malformed. To make this a meaningful validation step, it should check if the number of components is greater than a certain threshold, similar to the CI validation step. This will cause the task to fail if the generated SBOM is not as expected, making the local task's validation consistent with the proposed CI validation and providing a more reliable check for developers.

Suggested change

	jq -e '.components | length' packages/node/bom.json
	jq -e '.components | length > 50' packages/node/bom.json