feat: generate custom sbom

.github/workflows/check.yml

@@ -57,5 +57,8 @@ jobs:
           files: ./coverage/cobertura-coverage.xml
           token: ${{ secrets.CODECOV_TOKEN }}
 
+      - name: Generate SBOM
+        run: pnpm --reporter=silent sbom | tee sbom.cdx.json | jq
+
       - name: Publish dry-run
         run: npm publish --dry-run

.github/workflows/release-please.yml

@@ -42,14 +42,18 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish --provenance --access public
 
-      - name: Attestation
+      - name: Generate SBOM
+        run: pnpm --reporter=silent sbom | tee sbom.cdx.json | jq
+
+      - name: Attest
         if: ${{ steps.release.outputs.release_created }}
-        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1
+        uses: actions/attest-sbom@5026d3663739160db546203eeaffa6aa1c51a4d6 # v1
         with:
-          subject-path: ./src/argon2.wasm
+          subject-path: src/argon2.wasm
+          sbom-path: sbom.cdx.json
 
       - name: Upload Release Artifact
         if: ${{ steps.release.outputs.release_created }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh release upload ${{ steps.release.outputs.tag_name }} ./src/argon2.wasm
+        run: gh release upload ${{ steps.release.outputs.tag_name }} src/argon2.wasm sbom.cdx.json

.pnpmfile.cjs

@@ -0,0 +1,9 @@
+// eslint-disable-next-line no-undef
+module.exports = {
+  hooks: {
+    readPackage: (pkg) => {
+      if (pkg.name === "@cyclonedx/cyclonedx-library") delete pkg.optionalDependencies;
+      return pkg;
+    }
+  }
+};

build.sh

@@ -26,6 +26,7 @@ set -eu
     -o ../src/argon2.wasm \
     src/argon2.c src/core.c src/blake2/blake2b.c src/encoding.c src/opt.c
 
-  shasum ../src/argon2.wasm
+  sha1sum ../src/argon2.wasm
+  sha256sum ../src/argon2.wasm
   stat -c "%n %s" ../src/argon2.wasm
 )

package.json

@@ -44,9 +44,11 @@
     "bench": "pnpm vitest bench --run",
     "format": "prettier --write \"**/*.{js,ts,tsx,json,css,yml,yaml}\"",
     "format:check": "prettier --check \"**/*.{js,ts,tsx,json,css,yml,yaml}\"",
-    "check": "pnpm format:check && pnpm lint && pnpm typecheck && pnpm test"
+    "check": "pnpm format:check && pnpm lint && pnpm typecheck && pnpm test",
+    "sbom": "node --experimental-strip-types utils/sbom.ts"
   },
   "devDependencies": {
+    "@cyclonedx/cyclonedx-library": "6.11.0",
     "@eslint/js": "9.11.1",
     "@playwright/test": "1.47.2",
     "@trivago/prettier-plugin-sort-imports": "4.3.0",
@@ -56,10 +58,17 @@
     "eslint": "9.11.1",
     "globals": "15.9.0",
     "hash-wasm": "4.11.0",
+    "packageurl-js": "2.0.1",
     "prettier": "3.3.3",
     "typescript": "5.6.2",
     "typescript-eslint": "8.7.0",
     "vitest": "2.1.1"
   },
+  "pnpm": {
+    "ignoredOptionalDependencies": [
+      "fsevents",
+      "@pkgjs/parseargs"
+    ]
+  },
   "packageManager": "[email protected]+sha512.0a203ffaed5a3f63242cd064c8fb5892366c103e328079318f78062f24ea8c9d50bc6a47aa3567cabefd824d170e78fa2745ed1f16b132e16436146b7688f19b"
 }

release-please-config.json

@@ -18,7 +18,6 @@
     { "type": "test", "section": "Tests" },
     { "type": "build", "section": "Build System" },
     { "type": "ci", "section": "Continuous Integration" },
-    { "type": "infra", "section": "Infrastructure" },
     { "type": "release", "section": "Releases", "hidden": true }
   ],
   "packages": {