feat(ci): sign + SBOM + SLSA L3 provenance for images and tarballs

[Cre-eD]

Summary

Phase 2 of the supply-chain hardening pass. Every published artifact — Docker images (simplecontainer/{kubectl,caddy,github-actions,cloud-helpers}) and sc CLI tarballs on dist.simple-container.com — now ships with:

• A cosign keyless signature (Fulcio + Rekor, OIDC-bound to this repo's workflow).
• A CycloneDX SBOM (cosign attest --type cyclonedx) for every image; per-tarball .sbom.cdx.json sidecar.
• A SLSA Build L3 provenance attestation via actions/attest-build-provenance@v4.1.0 (GitHub-native, non-falsifiable).
• A post-publish verification job that re-fetches every artifact + sidecar and runs cosign verify + slsa-verifier against the documented production identity regex, on every release.

Plan reviewed by codex + gemini before implementation; reviewer findings applied:

• VEX cut from Phase 2 (not threat-mitigating; deferred post-Phase-4).
• Identity regex split prod vs staging (staging is not a production trust root).
• Continuous verification promoted from weekly cron to required post-publish gate.
• SC_VERIFY=warn design hardened (cosign sig failure with cosign present is always hard-fail) — lands in the follow-up sc.sh PR.

Tracker entries in HARDENING.md (Phase 2 — Plan section) and SECURITY-CONTROLS.md §3 reflect the locked scope.

What's in this PR

File	Change
.github/actions/install-attest-tools/action.yml (new)	One composite for cosign + syft + slsa-verifier. Single SHA-pinned source of truth; bump once, three workflows pick it up.
.github/workflows/push.yaml docker-build	Per-job id-token: write + attestations: write. docker buildx build loop replaced with docker/build-push-action@v7.1.0 (captures digest). Soft-fail sign + SBOM + SLSA provenance steps + aggregator.
.github/workflows/push.yaml build-platforms	Per-tarball sidecars: .sha256, .sbom.cdx.json, .cosign-bundle, .intoto.jsonl. upload-artifact path widened.
.github/workflows/push.yaml docker-finalize	Explicit sidecar-kind enumeration in the dist-copy step + count-assertion (Phase 2 bake-in: warn on missing).
.github/workflows/push.yaml verify-attestations (new job)	Re-fetches images + tarballs from Docker Hub / dist CDN; runs cosign verify + slsa-verifier verify-* against the prod identity regex. finalize job updated to needs: it.
.github/workflows/build-staging.yml	Same attestation pipeline for :staging images, signed with the staging OIDC identity (separate trust root).
SECURITY.md	Identity-regex contract (prod + staging), consumer verification command examples, V5 composite-action SHA-pin guidance, CDN-rollback residual-risk note.

Threat model (per HARDENING.md Phase 2 plan)

Vector	What this PR does
V1 Registry/CDN artifact swap	Closes — signature + provenance bind artifact to this workflow.
V2 MITM at install	Sidecars published; sc.sh verify lands in follow-up PR 2c.
V3 Compromised maintainer	Rekor transparency entry = post-hoc detection.
V4 CI runner exploit	SLSA L3 provenance = non-falsifiable build path.
V5 Composite-action mutable-tag pull	Minimum-viable doc: SECURITY.md documents how consumers SHA-pin the underlying image. Native verify-before-launch is a Phase 4/6 followup.
CDN rollback (new)	Documented residual risk; closed by sc.sh manifest-pinning in PR 2c, fully closed by TUF in Phase 6.

Soft-fail policy

Publish is the gating job. Sign + attest steps run after publish with continue-on-error: true, so a sigstore-public outage does not block a release. A trailing aggregator emits ::warning:: annotations and the post-publish verify-attestations job aggregates the failure for the Telegram notifier.

After 14 days of clean post-publish verification, flip the per-step continue-on-error to false (separate one-line PR; tracker entry in HARDENING.md).

Test plan

Cannot exercise the full workflow locally — sigstore + GitHub OIDC + Docker Hub push require the actual CI environment. The validation that can run pre-merge:

• YAML syntax — python3 -c 'import yaml; yaml.safe_load(open(...))' passes on all three touched files.
• actionlint 1.7.7 — all findings on this PR's added lines are info/style shellcheck nags (SC2012 fixed; remaining are pre-existing on unchanged code, including the known custom-runner-label warning for blacksmith-8vcpu-ubuntu-2204).
• go build ./... && go vet ./... && go test -short ./pkg/security/... — green (PR touches no Go).
• Manual workflow_dispatch dry-run from a fork or scratch branch — needs maintainer to trigger on staging first (small blast radius) to validate the staging-side attestation flow before merging.
• First-release smoke test post-merge: confirm cosign verify against the new prod identity regex succeeds on the freshly-pushed images and tarballs; confirm slsa-verifier verify-image + verify-artifact succeed; confirm verify-attestations job is green.

Out of scope (deliberate)

• sc.sh verify-before-extract — separate PR (2c), opens after this merges + at least one signed release exists on the CDN. Consumer-side change has different rollback semantics; bundling would force a synchronous revert.
• OpenVEX — cut from Phase 2 entirely (codex + gemini consensus: noise-reduction, not threat-mitigation). Defer to a standalone PR post-Phase-4.
• branch.yaml PPE split — accepted-risk, see existing nosemgrep annotation.
• Branch protection, signed-commits enforcement, MFA, required reviewers — repo-admin UI items, not PRs.

[github-actions]

Semgrep Scan Results

Repository: api | Commit: 26c2b54

Check	Status	Details
✅ Semgrep	Pass	0 total findings (no error/warning)

Scanned at 2026-05-13 15:25 UTC

[github-actions]

Security Scan Results

Repository: api | Commit: 26c2b54

Check	Status	Details
✅ Secret Scan	Pass	No secrets detected
⚠️ Dependencies (Trivy)	High	1 high, 1 total
⚠️ Dependencies (Grype)	High	1 high, 1 total
📦 SBOM	Generated	470 components (CycloneDX)

Scanned at 2026-05-13 15:26 UTC