[ITSEC-2280] Add contracts folder to be attested (#249)

* ITSEC-2280 Add Dependency Review job; Add SBOM signing.

* ITSEC-2280 Update CODEOWNERS to include Product Security on .github

* ITSEC-2280: Fix the dependency review action

Signed-off-by: immutable-art <[email protected]>

* ITSEC-2280 Update permissions for GH attestations

Signed-off-by: immutable-art <[email protected]>

* ITSEC-2280: Add 'contracts' for artifact signing

Signed-off-by: immutable-art <[email protected]>

---------

Signed-off-by: immutable-art <[email protected]>

Author: immutable-art

.github/workflows/publish.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write # Required for GitHub Attestation
-      attestations: write # Required for GitHub Attestation
+      attestations: write # Required for GitHub Attestation 
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -64,7 +64,9 @@ jobs:
       - name: Generate SDK attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-path: './dist'
+          subject-path: |
+            dist
+            contracts
   
       - name: Publish package
         uses: JS-DevTools/npm-publish@v1