ITSEC-2280 Add the remaining artifacts for SBOM signing (#250)

* ITSEC-2280 Add Dependency Review job; Add SBOM signing.

* ITSEC-2280 Update CODEOWNERS to include Product Security on .github

* ITSEC-2280: Fix the dependency review action

Signed-off-by: immutable-art <[email protected]>

* ITSEC-2280 Update permissions for GH attestations

Signed-off-by: immutable-art <[email protected]>

* ITSEC-2280: Add 'contracts' for artifact signing

Signed-off-by: immutable-art <[email protected]>

* ITSEC-2280: Add the remaining meta files for attestation

Signed-off-by: immutable-art <[email protected]>

---------

Signed-off-by: immutable-art <[email protected]>

Author: immutable-art

.github/workflows/publish.yaml

@@ -67,6 +67,9 @@ jobs:
           subject-path: |
             dist
             contracts
+            README.md
+            LICENSE.md
+            package.json
   
       - name: Publish package
         uses: JS-DevTools/npm-publish@v1