I can see that SBOMs are generated by make oci-build-manager in trust-manager. It looks like these would be helpful to publish in releases, and it shouldn't be hard to add them to github releases.
I'd actually assumed we were publishing these but it doesn't seem like we are!
For example, on the v0.10.0 tag of trust-manager:
$ ls _bin/scratch/image/oci-layout-manager.v0.10.0.sbom
trust-manager-index.spdx.json
trust-manager-linux-amd64.spdx.json
trust-manager-linux-arm-v7.spdx.json
trust-manager-linux-arm64.spdx.json
trust-manager-linux-ppc64le.spdx.json
I can see that SBOMs are generated by
make oci-build-manager
in trust-manager. It looks like these would be helpful to publish in releases, and it shouldn't be hard to add them to github releases.I'd actually assumed we were publishing these but it doesn't seem like we are!
For example, on the v0.10.0 tag of trust-manager: