Publish SBOMs

[SgtCoDFish]

I can see that SBOMs are generated by make oci-build-manager in trust-manager. It looks like these would be helpful to publish in releases, and it shouldn't be hard to add them to github releases.

I'd actually assumed we were publishing these but it doesn't seem like we are!

For example, on the v0.10.0 tag of trust-manager:

$ ls _bin/scratch/image/oci-layout-manager.v0.10.0.sbom
trust-manager-index.spdx.json
trust-manager-linux-amd64.spdx.json
trust-manager-linux-arm-v7.spdx.json
trust-manager-linux-arm64.spdx.json
trust-manager-linux-ppc64le.spdx.json

[inteon]

I can confirm: we have not yet implemented sbom pushing.
Important to consider here:

• figure out a strategy for re-pushing the same tag (reproducible builds + sboms)
• make sure the SBOMs are still useable after the image was mutated (eg. an extra layer was added)
• verify that the SBOM also refers to the base image's SBOM and that that SBOM is retrievable

[wallrj]

Maybe related, I just noticed the following warning when doing an approver-policy-enterprise release:

WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations.