CI pipeline for verifiable builds (#496)

.github/workflows/ci-verifiable-build.yml

@@ -0,0 +1,46 @@
+name: Verifiable Build
+on:
+  push:
+    tags:
+      - "program-v*"
+
+env:
+  APP_NAME: mango_v4
+
+jobs:
+  build:
+    name: Build Verifiable Artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+
+      - name: Verifiable Build
+        run: |
+          cargo run -p anchor-cli -- build --verifiable --solana-version 1.14.13 -- --features enable-gpl
+
+      - name: Generate Checksum
+        run: |
+          echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
+
+      - name: Generate SBOM
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'cyclonedx'
+          output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'
+
+      - name: Create Release
+        id: create_release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          name: ${{ github.ref_name }}
+          body: |
+            sha256 checksum: ${{ env.CHECKSUM }}
+            github commit: ${{ github.sha }}
+          files: |
+            ./target/verifiable/${{ env.APP_NAME }}.so
+            ./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json