ci(053): release provenance — cosign, SBOM, SLSA, git-cliff CHANGELOG (WP-C1–C4)

[Dumbris]

Part of spec 053 — OSS Repo Improvements (Track C). One of ~3 PRs splitting the OSS-report backlog. All four WPs bolt onto the existing release.yml — no GoReleaser migration (per spec non-goal).

What's in here

WP	Adds	Notes
C1 cosign	checksums + keyless signing in release.yml	New Generate checksums step (the pipeline had none) → release-files/checksums.txt; sigstore/cosign-installer + cosign sign-blob --bundle → checksums.txt.cosign.bundle uploaded to the release. The release job now exposes a hashes output (base64 of checksums.txt) consumed by C3. Verify command documented inline.
C2 SBOM	anchore/sbom-action step	Syft SPDX-JSON SBOM of the source → release-files/mcpproxy-<ver>.spdx.json, uploaded with the release (and covered by checksums + signed transitively).
C3 SLSA	new provenance job	slsa-framework/slsa-github-generator generic generator, base64-subjects: needs.release.outputs.hashes, upload-assets: true. Pinned by semver tag @v2.1.0, NOT a SHA — the generator verifies its own ref to establish builder identity; SHA-pinning breaks it. This is the one documented exception to the repo's SHA-pin policy (commented in-line).
C4 CHANGELOG	cliff.toml + CHANGELOG.md + orhun/git-cliff-action step	Conventional-Commits config; checked-in CHANGELOG.md generated from full history (v0.1.0 → present, real grouped entries with PR/commit links). On release, git-cliff regenerates release-files/CHANGELOG.md (uploaded as an asset). Deliberately does not commit back to main — avoids PAT + branch-protection fragility (rationale in a comment).

Step ordering in the release job

Reorganize → Set version → SBOM → CHANGELOG → checksums (covers SBOM + CHANGELOG) → Create release (uploads release-files/*) → install cosign → sign checksums → upload bundle. The provenance job runs after release and consumes its hashes output.

Verification

• All three SHA-pinned new actions (cosign-installer v3.10.1, sbom-action v0.24.0, git-cliff-action v4.8.0) re-resolved via gh api — match their comments. SLSA generator tag v2.1.0 confirmed to exist.
• release.yml parses; cliff.toml is valid TOML; CHANGELOG.md contains real (non-fabricated) grouped entries.
• Checksums generation is re-run-safe: excludes checksums.txt + the cosign bundle from its own glob (a review-caught idempotency fix).

⚠️ Merge-order note

This PR edits release.yml; the sibling security PR (#501, WP-B5) rewrites release.yml to SHA-pin all pre-existing actions. A merge conflict between the two is expected. Recommended order: merge #501 first, then rebase this branch — resolution is mechanical (keep #501's SHA pins on the pre-existing steps; keep this PR's new steps/jobs). The SLSA generator's semver-tag reference must stay un-SHA-pinned through the resolution.

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	a4d3a71
Status:	⚡️  Build in progress...

View logs

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: ci/053-release-provenance

Available Artifacts

• archive-darwin-amd64 (26 MB)
• archive-darwin-arm64 (23 MB)
• archive-linux-amd64 (15 MB)
• archive-linux-arm64 (13 MB)
• archive-windows-amd64 (26 MB)
• archive-windows-arm64 (23 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (20 MB)
• installer-dmg-darwin-arm64 (18 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 26272307132 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.