v1.5.0 Full supply-chain components for Go projects: - go-audit: lint-stage govulncheck. allow_failure: true. - go-sbom: tag-only CycloneDX SBOM per binary via syft. - slsa-attest: tag-only SLSA v1.0 provenance per binary, keyless-signed via cosign + GitLab OIDC. Predicate field set matches public-sector-tools' attest template; verify with cosign verify-blob-attestation --type slsaprovenance1 or slsa-verifier. - release-create: updated to link SBOMs and SLSA bundles alongside binaries on the GitLab Release page. Combined with v1.4.0's go-build, go-release-binary, and the existing release-create, any Go project in the dunn.dev estate can now compose a full branch-and-tag CI from catalog includes: audit + build on branches; package + sbom + attest + release on tags. First consumer: dunn.dev/bairn at v0.1.0.