feat(ci): 集成Feluda工具实现合规性检查和SBOM生成

- 在CI工作流中添加Feluda工具设置和合规性文件生成
- 集成SBOM生成功能，支持SPDX和CycloneDX格式
- 添加SBOM文件验证步骤并生成验证报告
- 实现许可证合规工件上传，包含通知文件和第三方许可证
- 更新发布工作流以包含合规性信息和SBOM文件到发布内容
- 修改权限设置以支持内容写入操作

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ on:
     branches: [ main, master ]
 
 permissions:
-  contents: read
+  contents: write
   security-events: write
 
 jobs:
@@ -93,37 +93,7 @@ jobs:
           fail-on-restrictive: true
           fail-on-incompatible: true
           update-badge: true
-          
+          update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-      # 生成合规性文件，执行两次feluda generate命令
-      - name: Generate compliance files
-        run: |
-          echo "1" | feluda generate
-          echo "2" | feluda generate
-
-      # 生成软件物料清单(SBOM)文件，输出SPDX和CycloneDX两种格式
-      - name: Generate SBOM
-        run: |
-          feluda sbom spdx --output sbom.spdx.json
-          feluda sbom cyclonedx --output sbom.cyclonedx.json
-
-      # 验证生成的SBOM文件的有效性，并输出验证结果到文本文件
-      - name: Validate SBOM files
-        run: |
-          feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
-          feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
-
-      # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM文件及验证结果
-      - name: Upload compliance artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: license-compliance
-          path: |
-            NOTICE
-            THIRD_PARTY_LICENSES.md
-            sbom.spdx.json
-            sbom.cyclonedx.json
-            sbom-spdx-validation.txt
-            sbom-cyclonedx-validation.txt
 
       # 构建项目，使用Release配置且跳过恢复步骤
       - name: Build

.github/workflows/publish.yml

@@ -67,7 +67,38 @@ jobs:
           set -e
           echo "Packing with version=${{ steps.tag_version.outputs.version }}"
           dotnet pack -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} -p:IncludeSymbols=false
+      - name: Setup Feluda
+        uses: anistark/feluda@v1.11.1
+      # 生成合规性文件，执行两次feluda generate命令
+      - name: Generate compliance files
+        run: |
+          echo "1" | feluda generate
+          echo "2" | feluda generate
 
+      # 生成软件物料清单(SBOM)文件，输出SPDX和CycloneDX两种格式
+      - name: Generate SBOM
+        run: |
+          feluda sbom spdx --output sbom.spdx.json
+          feluda sbom cyclonedx --output sbom.cyclonedx.json
+
+      # 验证生成的SBOM文件的有效性，并输出验证结果到文本文件
+      - name: Validate SBOM files
+        run: |
+          feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
+          feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
+
+      # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM文件及验证结果
+      - name: Upload compliance artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-compliance
+          path: |
+            NOTICE
+            THIRD_PARTY_LICENSES.md
+            sbom.spdx.json
+            sbom.cyclonedx.json
+            sbom-spdx-validation.txt
+            sbom-cyclonedx-validation.txt
       - name: Show packages
         run: ls -la ./packages || true
 
@@ -134,10 +165,21 @@ jobs:
         with:
           generate_release_notes: true
           name: "Release ${{ github.ref_name }}"
-          body: "Release created by CI for tag ${{ github.ref_name }} (package version ${{ steps.get_version.outputs.version }})"
+          body: |
+            Release created by CI for tag ${{ github.ref_name }}
+            Package version: ${{ steps.get_version.outputs.version }}
+
+            ## Compliance
+            - NOTICE
+            - THIRD_PARTY_LICENSES
+            - SPDX & CycloneDX SBOM
           draft: false
           prerelease: false
-          # 核心优化：直接支持通配符
+          files: |
-          files: ./packages/*.nupkg
+            ./packages/*.nupkg
+            NOTICE
+            THIRD_PARTY_LICENSES.md
+            sbom.spdx.json
+            sbom.cyclonedx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}