feat(build): add hve-core release pipeline with dependency SBOM and signing artifacts

[WilliamBerryiii]

Pull Request

Description

Add hve-core-aligned release pipeline with dependency SBOM generation, Sigstore signing artifact uploads, and OpenSSF Scorecard trigger improvements. Mirrors the release pipeline patterns from microsoft/hve-core to improve supply chain security posture.

Closes #419

Type of Change

• ✨ New feature (non-breaking change adding functionality)

Component(s) Affected

• workflows/ - Training and evaluation workflows

Changes

Release Pipeline (main.yml)

• generate-dependency-sbom job: sparse-checkout of all 16 dependency manifests (package.json, pyproject.toml, uv.lock, go.mod) across JavaScript, Python, and Go ecosystems; generates dependencies.spdx.json via anchore/sbom-action with .syft.yaml config and uploads to release assets
• Triple attestation in attest-release: build provenance, artifact SBOM, and dependency SBOM attestations via actions/attest; extracts .sigstore.json and .intoto.jsonl signing artifacts from the attestation bundle and uploads them to the release
• sbom-diff job: downloads previous release's dependencies.spdx.json, computes added/removed/changed dependency diff, and uploads dependency-diff.md to the release
• append-verification-notes job: appends Sigstore verification CLI instructions to release notes
• publish-release dependencies updated to gate on all new jobs

Scorecard Workflow (scorecard.yml)

• Added workflow_run trigger keyed to CI workflow completion so Scorecard re-scans immediately after releases
• Added workflow_dispatch for manual re-runs
• Added concurrency group to prevent duplicate runs
• Added condition to skip workflow_run triggers from failed CI runs

SBOM Cataloger Config (.syft.yaml)

• New Syft configuration for JavaScript (npm), Python, and Go catalogers with search-remote-licenses enabled

Testing Performed

• YAML validated with yaml.safe_load (0 errors)
• YAML validated with actionlint (0 errors)

Documentation Impact

• No documentation changes needed

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 9b56d5a.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/download-artifact	95815c38cf2ff2164869cbab79da8d1f422bc89e	🟢 6.1	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 25 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/main.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.04%. Comparing base (d97d42c) to head (9b56d5a).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #420   +/-   ##
=======================================
  Coverage   64.04%   64.04%           
=======================================
  Files         250      250           
  Lines       15319    15319           
  Branches     2108     2060   -48     
=======================================
  Hits         9811     9811           
  Misses       5220     5220           
  Partials      288      288           

Flag	Coverage Δ
pester	81.21% <ø> (ø)
pytest	92.40% <ø> (ø)
pytest-dataviewer	63.87% <ø> (ø)
pytest-fuzz	1.59% <ø> (ø)
vitest	50.80% <ø> (ø)

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.