From 21217f7d28d6a5a4fd94f889e31b1b239b2626ab Mon Sep 17 00:00:00 2001
From: AleF83 <AlexanderFux83@gmail.com>
Date: Sat, 16 May 2026 21:43:11 -0500
Subject: [PATCH 1/3] ci: add SBOM and build provenance attestation to docker
 image

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/tag.yaml | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml
index 7a122d1..76f23d2 100644
--- a/.github/workflows/tag.yaml
+++ b/.github/workflows/tag.yaml
@@ -12,6 +12,11 @@ jobs:
   build_push_docker:
     name: Build and Push Docker image
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
@@ -68,7 +73,8 @@ jobs:
         env:
           IMAGE_TAG: ${{ steps.get_version.outputs.version-without-v }}-test
 
-      - name: Build and push new docker image
+      - id: build_push
+        name: Build and push new docker image
         uses: docker/build-push-action@v6
         with:
           push: true
@@ -81,6 +87,30 @@ jobs:
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          image: ghcr.io/${{ steps.repository_owner.outputs.lowercase }}/oidc-server-mock:${{ steps.get_version.outputs.version-without-v }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+          upload-artifact: true
+          upload-artifact-retention: 90
+
+      - name: Attest SBOM
+        uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
+        with:
+          subject-name: ghcr.io/${{ steps.repository_owner.outputs.lowercase }}/oidc-server-mock
+          subject-digest: ${{ steps.build_push.outputs.digest }}
+          sbom-path: sbom.spdx.json
+          push-to-registry: true
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-name: ghcr.io/${{ steps.repository_owner.outputs.lowercase }}/oidc-server-mock
+          subject-digest: ${{ steps.build_push.outputs.digest }}
+          push-to-registry: true
+
   build_push_nuget:
     name: Build and Push Nuget package
     runs-on: ubuntu-latest

From d52637bb2b5466520df5b2a684c4649a36911b2b Mon Sep 17 00:00:00 2001
From: AleF83 <AlexanderFux83@gmail.com>
Date: Sat, 16 May 2026 21:47:54 -0500
Subject: [PATCH 2/3] ci: add inline comments for SBOM scope and deprecation
 notices

---
 .github/workflows/tag.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml
index 76f23d2..f56e3c1 100644
--- a/.github/workflows/tag.yaml
+++ b/.github/workflows/tag.yaml
@@ -87,6 +87,7 @@ jobs:
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
 
+        # Note: SBOM covers the amd64 variant only (Syft limitation with a single image: reference on ubuntu-latest).
       - name: Generate SBOM
         uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
         with:
@@ -96,6 +97,7 @@ jobs:
           upload-artifact: true
           upload-artifact-retention: 90
 
+        # Note: actions/attest-sbom v4 is a deprecated wrapper around actions/attest; functional, migrate separately.
       - name: Attest SBOM
         uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
         with:
@@ -104,6 +106,7 @@ jobs:
           sbom-path: sbom.spdx.json
           push-to-registry: true
 
+        # Note: actions/attest-build-provenance v4 is a deprecated wrapper around actions/attest; functional, migrate separately.
       - name: Attest build provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:

From c239fa4deb3b924a5bd8898fc76d7558782c2127 Mon Sep 17 00:00:00 2001
From: AleF83 <AlexanderFux83@gmail.com>
Date: Sat, 16 May 2026 21:51:13 -0500
Subject: [PATCH 3/3] fix(e2e): remove unnecessary type assertions in
 user-management spec

The `as unknown` casts on `expect.any(String)` expressions were flagged
by `@typescript-eslint/no-unnecessary-type-assertion` since the receiver
already accepts the original type.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 e2e/tests/custom-endpoints/user-management.spec.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/e2e/tests/custom-endpoints/user-management.spec.ts b/e2e/tests/custom-endpoints/user-management.spec.ts
index bf7514d..68a4236 100644
--- a/e2e/tests/custom-endpoints/user-management.spec.ts
+++ b/e2e/tests/custom-endpoints/user-management.spec.ts
@@ -100,15 +100,15 @@ describe('User management', () => {
       sub: expect.any(String),
       name: expect.any(String),
       email: expect.any(String),
-      ['some-custom-identity-user-claim']: expect.any(String) as unknown,
+      ['some-custom-identity-user-claim']: expect.any(String),
     });
   }, 10000);
 
   test('Introspection Endpoint', async () => {
     await introspectEndpoint(token, 'some-app', {
       sub: expect.any(String),
-      ['some-app-user-custom-claim']: expect.any(String) as unknown,
-      ['some-app-scope-1-custom-user-claim']: expect.any(String) as unknown,
+      ['some-app-user-custom-claim']: expect.any(String),
+      ['some-app-scope-1-custom-user-claim']: expect.any(String),
     });
   });
 });