Merge branch 'main' into dependabot/pip/backend/pytest-gte-8.3-and-lt-10.0

Author: Boyeep

.github/dependency-review-config.yml

@@ -1,7 +1,23 @@
 # Keep the initial policy focused on risky dependency changes first.
-# If you want stricter license enforcement later, add allow-licenses here.
+# This allowlist is intentionally based on the licenses already present in the
+# current dependency tree so normal updates do not become noisy immediately.
 fail-on-severity: high
 fail-on-scopes:
   - runtime
   - unknown
 license-check: true
+allow-licenses:
+  - Apache-2.0
+  - Apache-2.0 AND LGPL-3.0-or-later
+  - Apache-2.0 OR BSD-2-Clause
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - BlueOak-1.0.0
+  - CC-BY-4.0
+  - CC0-1.0
+  - ISC
+  - MIT
+  - MPL-2.0
+  - PSF-2.0
+  - Python-2.0
+  - 0BSD

.github/workflows/release.yml

@@ -6,8 +6,7 @@ on:
       - "v*.*.*"
 
 permissions:
-  contents: write
-  packages: write
+  contents: read
 
 jobs:
   verify:
@@ -55,6 +54,17 @@ jobs:
     name: Publish GHCR Images
     needs: verify
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+      artifact-metadata: write
+    outputs:
+      backend-attestation-url: ${{ steps.attest-backend.outputs.attestation-url }}
+      frontend-attestation-url: ${{ steps.attest-frontend.outputs.attestation-url }}
+      backend-digest: ${{ steps.push-backend.outputs.digest }}
+      frontend-digest: ${{ steps.push-frontend.outputs.digest }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -97,6 +107,7 @@ jobs:
             type=semver,pattern={{major}}
 
       - name: Build and push backend image
+        id: push-backend
         uses: docker/build-push-action@v6
         with:
           context: ./backend
@@ -108,7 +119,16 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Generate backend provenance attestation
+        id: attest-backend
+        uses: actions/attest@v4
+        with:
+          subject-name: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend
+          subject-digest: ${{ steps.push-backend.outputs.digest }}
+          push-to-registry: true
+
       - name: Build and push frontend image
+        id: push-frontend
         uses: docker/build-push-action@v6
         with:
           context: ./frontend
@@ -120,23 +140,101 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Generate frontend provenance attestation
+        id: attest-frontend
+        uses: actions/attest@v4
+        with:
+          subject-name: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend
+          subject-digest: ${{ steps.push-frontend.outputs.digest }}
+          push-to-registry: true
+
   github-release:
     name: Publish GitHub Release
     needs: publish-images
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: read
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Set lowercase owner
         id: vars
         run: echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
         shell: bash
 
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare release asset directory
+        run: mkdir -p dist/release-assets
+        shell: bash
+
+      - name: Generate source SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          path: .
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate backend image SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend@${{ needs.publish-images.outputs.backend-digest }}
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Generate frontend image SBOM asset
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend@${{ needs.publish-images.outputs.frontend-digest }}
+          format: spdx-json
+          syft-version: v1.41.2
+          output-file: dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
       - name: Publish release
         uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true
           append_body: true
+          files: |
+            dist/release-assets/repo-source-${{ github.ref_name }}.spdx.json
+            dist/release-assets/backend-runner-${{ github.ref_name }}.spdx.json
+            dist/release-assets/frontend-runner-${{ github.ref_name }}.spdx.json
           body: |
             ## Published Images
 
             - `ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ github.ref_name }}`
             - `ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ github.ref_name }}`
+
+            ## Provenance Attestations
+
+            - Backend image: ${{ needs.publish-images.outputs.backend-attestation-url }}
+            - Frontend image: ${{ needs.publish-images.outputs.frontend-attestation-url }}
+
+            ## Attached SBOM Assets
+
+            - `repo-source-${{ github.ref_name }}.spdx.json`
+            - `backend-runner-${{ github.ref_name }}.spdx.json`
+            - `frontend-runner-${{ github.ref_name }}.spdx.json`
+
+            ## Verification
+
+            ```bash
+            docker login ghcr.io
+            gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ github.ref_name }} -R ${{ github.repository }}
+            gh attestation verify oci://ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ github.ref_name }} -R ${{ github.repository }}
+            ```

.github/workflows/sbom.yml

@@ -0,0 +1,69 @@
+name: SBOM
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "24 3 * * 3"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  source-sbom:
+    name: Source SBOM
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Generate repository source SBOM
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          path: .
+          format: spdx-json
+          artifact-name: repo-source.spdx.json
+          syft-version: v1.41.2
+          upload-release-assets: false
+
+  image-sbom:
+    name: Image SBOM (${{ matrix.name }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: backend
+            context: ./backend
+            dockerfile: ./backend/Dockerfile
+            target: runner
+            image: cv-kit-backend:sbom
+            artifact: backend-runner.spdx.json
+          - name: frontend
+            context: ./frontend
+            dockerfile: ./frontend/Dockerfile
+            target: runner
+            image: cv-kit-frontend:sbom
+            artifact: frontend-runner.spdx.json
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build runner image
+        run: >
+          docker build
+          --file ${{ matrix.dockerfile }}
+          --target ${{ matrix.target }}
+          --tag ${{ matrix.image }}
+          ${{ matrix.context }}
+
+      - name: Generate image SBOM
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          image: ${{ matrix.image }}
+          format: spdx-json
+          artifact-name: ${{ matrix.artifact }}
+          syft-version: v1.41.2
+          upload-release-assets: false

CONTRIBUTING.md

@@ -97,6 +97,8 @@ That command writes generated reports into `reports/licenses/`.
 
 Dependency review also runs automatically on pull requests to catch newly introduced vulnerable dependency changes.
 
+That dependency review config also includes an allowlist for the licenses already present in the current dependency tree. If you intentionally add a dependency under a new acceptable license, update `.github/dependency-review-config.yml` in the same pull request.
+
 ## Changing the API Contract
 
 If you modify request or response shapes:
@@ -131,6 +133,9 @@ If you modify request or response shapes:
 5. Wait for the release workflow to verify the repo, publish GHCR images, and create the GitHub Release.
 6. Confirm the release smoke workflow passes against the published images, or dispatch it manually for a tag if you need to re-check a release.
 
+The release notes will also include links to the image provenance attestations generated during the publish workflow.
+The release itself will also carry attached SPDX SBOM files for the source tree and the published runner images.
+
 The component labels used by Release Drafter are synced from `.github/labels.json`, and most of the common ones are applied automatically from changed paths.
 
 To run the same image smoke check locally, set `BACKEND_IMAGE` and `FRONTEND_IMAGE`, then run `npm run check:release-smoke`.

README.md

@@ -127,13 +127,19 @@ Pull requests also run GitHub dependency review so new vulnerable dependency cha
 
 A separate GitHub workflow generates license-report artifacts for the root workspace, frontend workspace, and backend Python environment.
 
+The dependency-review config also keeps a conservative allowlist of licenses already present in the current dependency tree, so tightening policy does not start by breaking routine updates.
+
+An SBOM workflow also publishes SPDX artifacts for the repository source plus the frontend and backend runner images.
+
 ## Releases
 
 - Release Drafter keeps a draft release updated from merged pull requests on `main` and can auto-label incoming pull requests by path.
 - Path-based labels help sort PRs into frontend, backend, CI/CD, docs, and maintenance categories automatically.
 - Release Drafter defaults to a patch bump unless a maintainer applies `minor` or `major` to the pull request.
 - Pushing a tag like `v0.1.0` triggers the release workflow.
 - That workflow verifies the tagged commit, publishes backend/frontend images to GHCR, and creates a GitHub Release with generated notes.
+- The release workflow also generates build-provenance attestations for the published GHCR images and links them from the release notes.
+- The GitHub Release also includes attached SPDX SBOM assets for the source tree and both runner images.
 - A follow-up smoke workflow pulls those published GHCR images and checks backend health, a real inference request, and the frontend shell before you treat the release as healthy.
 - Maintainers can re-run the same check manually with `BACKEND_IMAGE=... FRONTEND_IMAGE=... npm run check:release-smoke`.
 

SECURITY.md

@@ -33,6 +33,12 @@ The repository also uses automated scanning to help catch common security issues
 - CodeQL code scanning on GitHub for JavaScript/TypeScript, Python, and workflow files
 - GitHub dependency review on pull requests for newly introduced vulnerable dependency changes
 - GitHub license-report artifacts for npm and Python dependency inventories
+- GitHub SBOM artifacts for the repository source and runner images
+- GitHub build-provenance attestations for published release images
+
+Tagged releases also include attached SPDX SBOM files and release-note verification snippets for the published container images.
+
+Dependency review is also configured with an allowlist that matches the current dependency tree, so changes that introduce new license types are surfaced deliberately instead of silently drifting in.
 
 Those checks do not replace private disclosure. If you believe a vulnerability is real or
 exploitable, please still report it through a private advisory.

backend/pyproject.toml

@@ -6,6 +6,7 @@ build-backend = "hatchling.build"
 name = "nextjs-python-computer-vision-kit-backend"
 version = "0.1.0"
 description = "FastAPI backend for the computer vision starter kit."
+license = "MIT"
 readme = "README.md"
 requires-python = ">=3.12"
 dependencies = [

frontend/package.json

@@ -2,6 +2,7 @@
   "name": "frontend",
   "version": "0.1.0",
   "private": true,
+  "license": "MIT",
   "scripts": {
     "dev": "next dev",
     "build": "next build",