ci: add SBOM generation to publish workflow

.github/workflows/publish.yml

@@ -63,6 +63,16 @@ jobs:
       - name: Scan build artifacts for secrets
         run: gitleaks detect --config .gitleaks.toml --source ./build --no-git --verbose --redact
 
+      - name: Generate SBOM
+        run: npx @cyclonedx/cyclonedx-npm --output-file sbom.json --output-format json
+
+      - name: Upload SBOM as release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
+          if-no-files-found: error
+
       - name: Version and Publish
         uses: changesets/action@v1
         with:

.gitignore

@@ -29,6 +29,9 @@ coverage/
 .automaker/authority/
 .automaker/settings.json
 
+# SBOM (generated artifact)
+sbom.json
+
 # Reports (generated artifacts)
 protoLabs.report.html
 *.report.html

README.md

@@ -676,6 +676,12 @@ See [`CONTRIBUTING.md`](./CONTRIBUTING.md) and [`LOCAL.md`](./LOCAL.md) for full
 
 ---
 
+## Compliance
+
+HELiXiR generates a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) as part of every release. The `sbom.json` artifact is attached to each GitHub Release and lists all runtime and development dependencies with their versions, licenses, and package identifiers — suitable for enterprise security audits and supply-chain compliance reviews.
+
+---
+
 ## Contributing
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines.