Request for guidance on using reuse spdx output with cosign for GitHub Attestations

[puria]

Hi Cosign team,

First, thank you for all the great work you’ve done on Cosign! I’m new to supply chain security tools and am trying to better understand how to integrate various components. Most of my repositories are REUSE-compliant, and I’m exploring ways to incorporate SPDX SBOMs and licensing information into GitHub attestations using Cosign and the actions/attest GitHub Action.

If I misunderstand anything, please forgive me, and I’d really appreciate your help in guiding me toward the right approach.

Questions:

1. How can I attach the output of the reuse spdx command (which generates the SPDX SBOM and license data) to Cosign?
2. How can I use the npm sbom command to generate a Software Bill of Materials (SBOM) and include it in GitHub attestations using actions/attest in in-toto format?
3. Is there a recommended way to integrate Cosign with GitHub's attestation framework to ensure SPDX compliance and licensing information are properly included?

I’d be very grateful for any examples or advice to help me connect these tools in a meaningful way.

Thank you again for your work and support!