From 18d550c5b02450d3f03732b8da7364f710f5a0d3 Mon Sep 17 00:00:00 2001
From: JasonEran <junyi.qi@my.jcu.edu.au>
Date: Wed, 25 Feb 2026 16:08:09 +0800
Subject: [PATCH] ci(v2.3): stabilize supply-chain workflows and triggers (#46
 #47)

---
 .github/workflows/slsa-source-provenance.yml | 21 ++++++++
 .github/workflows/supply-chain.yml           | 55 +++++++++++++++-----
 CHANGELOG.md                                 |  1 +
 README.md                                    |  1 +
 docs/CI-SupplyChain-Stabilization-v2.3.md    | 43 +++++++++++++++
 docs/Release-Notes-v2.3.md                   |  2 -
 6 files changed, 109 insertions(+), 14 deletions(-)
 create mode 100644 docs/CI-SupplyChain-Stabilization-v2.3.md

diff --git a/.github/workflows/slsa-source-provenance.yml b/.github/workflows/slsa-source-provenance.yml
index 09930a6..dd3ef5a 100644
--- a/.github/workflows/slsa-source-provenance.yml
+++ b/.github/workflows/slsa-source-provenance.yml
@@ -1,6 +1,27 @@
 name: SLSA Provenance (Source)
 
 on:
+  push:
+    branches:
+      - master
+      - release/**
+    paths:
+      - .github/workflows/slsa-source-provenance.yml
+      - .github/workflows/supply-chain.yml
+      - docker-compose.yml
+      - infrastructure/**
+      - src/**
+      - third_party/**
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/slsa-source-provenance.yml
+      - .github/workflows/supply-chain.yml
+      - docker-compose.yml
+      - infrastructure/**
+      - src/**
+      - third_party/**
   workflow_dispatch:
 
 permissions:
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
index 8e86365..dd8da57 100644
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -1,6 +1,37 @@
 name: Supply Chain (SBOM + Cosign + SLSA)
 
 on:
+  push:
+    branches:
+      - master
+      - release/**
+    paths:
+      - .github/workflows/supply-chain.yml
+      - .github/workflows/slsa-source-provenance.yml
+      - docker-compose.yml
+      - infrastructure/**
+      - src/db/**
+      - src/services/core-dotnet/**
+      - src/services/ai-engine/**
+      - src/services/agent-cpp/**
+      - src/shared/protos/**
+      - src/web/dashboard/**
+      - third_party/**
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/supply-chain.yml
+      - .github/workflows/slsa-source-provenance.yml
+      - docker-compose.yml
+      - infrastructure/**
+      - src/db/**
+      - src/services/core-dotnet/**
+      - src/services/ai-engine/**
+      - src/services/agent-cpp/**
+      - src/shared/protos/**
+      - src/web/dashboard/**
+      - third_party/**
   workflow_dispatch:
 
 permissions:
@@ -56,7 +87,7 @@ jobs:
           echo "labels=" >> "$GITHUB_OUTPUT"
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./src/services/core-dotnet/AetherGuard.Core/Dockerfile
@@ -66,7 +97,7 @@ jobs:
           labels: ${{ github.actor == 'nektos/act' && steps.meta-local.outputs.labels || steps.meta.outputs.labels }}
       - name: Generate SBOM
         if: ${{ github.actor != 'nektos/act' }}
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@v0.22.2
         with:
           image: ${{ steps.image-vars.outputs.image_base }}/core-service@${{ steps.build.outputs.digest }}
           registry-username: ${{ github.actor }}
@@ -81,7 +112,7 @@ jobs:
           path: sbom-core.spdx.json
       - name: Install cosign
         if: ${{ github.actor != 'nektos/act' }}
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@v4
       - name: Sign image
         if: ${{ github.actor != 'nektos/act' }}
         env:
@@ -148,7 +179,7 @@ jobs:
           echo "labels=" >> "$GITHUB_OUTPUT"
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ./src/services/ai-engine
           file: ./src/services/ai-engine/Dockerfile
@@ -158,7 +189,7 @@ jobs:
           labels: ${{ github.actor == 'nektos/act' && steps.meta-local.outputs.labels || steps.meta.outputs.labels }}
       - name: Generate SBOM
         if: ${{ github.actor != 'nektos/act' }}
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@v0.22.2
         with:
           image: ${{ steps.image-vars.outputs.image_base }}/ai-service@${{ steps.build.outputs.digest }}
           registry-username: ${{ github.actor }}
@@ -173,7 +204,7 @@ jobs:
           path: sbom-ai.spdx.json
       - name: Install cosign
         if: ${{ github.actor != 'nektos/act' }}
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@v4
       - name: Sign image
         if: ${{ github.actor != 'nektos/act' }}
         env:
@@ -240,7 +271,7 @@ jobs:
           echo "labels=" >> "$GITHUB_OUTPUT"
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ./src/web/dashboard
           file: ./src/web/dashboard/Dockerfile
@@ -250,7 +281,7 @@ jobs:
           labels: ${{ github.actor == 'nektos/act' && steps.meta-local.outputs.labels || steps.meta.outputs.labels }}
       - name: Generate SBOM
         if: ${{ github.actor != 'nektos/act' }}
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@v0.22.2
         with:
           image: ${{ steps.image-vars.outputs.image_base }}/web-service@${{ steps.build.outputs.digest }}
           registry-username: ${{ github.actor }}
@@ -265,7 +296,7 @@ jobs:
           path: sbom-web.spdx.json
       - name: Install cosign
         if: ${{ github.actor != 'nektos/act' }}
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@v4
       - name: Sign image
         if: ${{ github.actor != 'nektos/act' }}
         env:
@@ -332,7 +363,7 @@ jobs:
           echo "labels=" >> "$GITHUB_OUTPUT"
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./src/services/agent-cpp/Dockerfile
@@ -342,7 +373,7 @@ jobs:
           labels: ${{ github.actor == 'nektos/act' && steps.meta-local.outputs.labels || steps.meta.outputs.labels }}
       - name: Generate SBOM
         if: ${{ github.actor != 'nektos/act' }}
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@v0.22.2
         with:
           image: ${{ steps.image-vars.outputs.image_base }}/agent-service@${{ steps.build.outputs.digest }}
           registry-username: ${{ github.actor }}
@@ -357,7 +388,7 @@ jobs:
           path: sbom-agent.spdx.json
       - name: Install cosign
         if: ${{ github.actor != 'nektos/act' }}
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@v4
       - name: Sign image
         if: ${{ github.actor != 'nektos/act' }}
         env:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ae7dab1..8bc37cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ Semantic Versioning.
 - Agent now injects W3C trace headers for HTTP requests.
 - Dashboard dependencies updated to Next.js 16.1.6.
 - Core external-signal ingestion now prefers batch enrichment and falls back to per-item enrichment.
+- CI supply-chain workflows now use path-filtered push/PR triggers and refreshed action versions.
 
 ### Deprecated
 - 
diff --git a/README.md b/README.md
index d40b3b6..ace45f1 100644
--- a/README.md
+++ b/README.md
@@ -209,6 +209,7 @@ Open the dashboard at http://localhost:3000.
 - v2.3 M3 canary evaluator script: scripts/qa/README.md
 - v2.3 M4 dynamic risk allocation (core): docs/Core-Dynamic-Risk-v2.3-M4.md
 - v2.3 M4 dashboard explainability: docs/Web-Explainability-v2.3-M4.md
+- v2.3 CI / supply-chain stabilization: docs/CI-SupplyChain-Stabilization-v2.3.md
 - v2.3 release notes: docs/Release-Notes-v2.3.md
 - v2.3 PR acceptance template: docs/PR-Template-v2.3-Acceptance.md
 
diff --git a/docs/CI-SupplyChain-Stabilization-v2.3.md b/docs/CI-SupplyChain-Stabilization-v2.3.md
new file mode 100644
index 0000000..6b2ab10
--- /dev/null
+++ b/docs/CI-SupplyChain-Stabilization-v2.3.md
@@ -0,0 +1,43 @@
+# v2.3 CI / Supply Chain Stabilization
+
+Epic: #14  
+Issues: #46, #47
+
+## Goal
+
+Stabilize heavy supply-chain workflows so they run only when relevant and remain compatible with current GitHub Actions ecosystem.
+
+## What Changed
+
+### Trigger policy
+
+Both workflows now support:
+
+- `workflow_dispatch` (manual release builds)
+- `push` (only `master` and `release/**` with path filters)
+- `pull_request` (to `master` with the same path filters)
+
+This avoids running heavy image/provenance jobs for unrelated edits.
+
+### Supply-chain hardening
+
+Updated key actions in `supply-chain.yml`:
+
+- `docker/build-push-action` -> `v6`
+- `anchore/sbom-action` -> `v0.22.2`
+- `sigstore/cosign-installer` -> `v4`
+
+SLSA reusable workflows stay on latest upstream release (`v2.1.0`).
+
+## Acceptance Mapping
+
+### #46
+
+- paths filters applied: **Done**
+- manual `workflow_dispatch` retained: **Done**
+
+### #47
+
+- SLSA permissions path preserved for reusable generators: **Done**
+- SBOM generation action upgraded/pinned to current release: **Done**
+- no deprecated action references in supply-chain workflow: **Done**
diff --git a/docs/Release-Notes-v2.3.md b/docs/Release-Notes-v2.3.md
index d637e20..07479c0 100644
--- a/docs/Release-Notes-v2.3.md
+++ b/docs/Release-Notes-v2.3.md
@@ -64,6 +64,4 @@ v2.3 upgrades Aether-Guard from static/reactive risk handling to a predictive mu
 
 ## Known Follow-ups
 
-- `#48` v2.3 release criteria checklist (open)
-- `#14` CI / supply-chain stabilization epic (open)
 - `#8` course/project management epic (open)