Add release integrity checksums

Author: kamalsrini

.github/workflows/release-integrity.yml

@@ -0,0 +1,47 @@
+name: Release integrity
+
+on:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Release tag to package
+        required: true
+
+permissions:
+  contents: write
+
+jobs:
+  package-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out release ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name || inputs.tag }}
+
+      - name: Build release archive
+        run: |
+          set -euo pipefail
+          tag="${{ github.event.release.tag_name || inputs.tag }}"
+          archive="SecuritySkills-${tag}.tar.gz"
+          mkdir -p dist
+          git archive --format=tar.gz --prefix="SecuritySkills-${tag}/" -o "dist/${archive}" HEAD
+          cd dist
+          sha256sum "${archive}" > SHA256SUMS
+
+      - name: Attach checksum artifacts to release
+        if: github.event_name == 'release'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          gh release upload "${{ github.event.release.tag_name }}" dist/* --clobber
+
+      - name: Upload workflow artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-integrity-artifacts
+          path: dist/*

CONTRIBUTING.md

@@ -180,6 +180,10 @@ If your contribution changes CI/CD examples, update
 ruby scripts/validate_ci_cd_examples.rb
 ```
 
+Release artifacts are checksummed by the GitHub release workflow. See
+[docs/release-integrity.md](docs/release-integrity.md) before changing release
+packaging.
+
 ### Normalized JSON output
 
 Every skill must be able to emit findings as normalized JSON that validates

README.md

@@ -126,6 +126,10 @@ ruby scripts/validate_framework_registry.rb
 ruby scripts/validate_framework_registry.rb --stale --max-age-days 365
 ```
 
+Release archives include SHA-256 checksums generated by the release workflow.
+See [`docs/release-integrity.md`](docs/release-integrity.md) for verification
+steps.
+
 CI/CD examples for GitHub Actions, GitLab CI, Azure DevOps, Jenkins,
 pre-commit, and local agent usage are available in
 [`docs/ci-cd-examples.md`](docs/ci-cd-examples.md). Validate those examples

docs/release-integrity.md

@@ -0,0 +1,30 @@
+# Release Integrity
+
+Release artifacts are produced by the `Release integrity` GitHub Actions
+workflow. When a GitHub release is published, the workflow creates:
+
+- `SecuritySkills-<tag>.tar.gz`: archive built from the release tag.
+- `SHA256SUMS`: SHA-256 checksum file for the archive.
+
+Both files are attached to the GitHub release. The workflow can also be run
+manually with a tag through `workflow_dispatch`; manual runs upload the same
+files as workflow artifacts for review.
+
+## Verify A Release
+
+Download the release archive and `SHA256SUMS`, then run:
+
+```bash
+sha256sum -c SHA256SUMS
+```
+
+Expected output:
+
+```text
+SecuritySkills-<tag>.tar.gz: OK
+```
+
+This repository currently provides checksum-based release integrity. If a future
+release process adds key-managed artifact signing, keep checksum generation in
+place so consumers can verify artifacts even when they do not participate in the
+signing trust chain.