Publish SBOMs

[SgtCoDFish]

I can see that SBOMs are generated by make oci-build-manager in trust-manager. It looks like these would be helpful to publish in releases, and it shouldn't be hard to add them to github releases.

I'd actually assumed we were publishing these but it doesn't seem like we are!

For example, on the v0.10.0 tag of trust-manager:

$ ls _bin/scratch/image/oci-layout-manager.v0.10.0.sbom
trust-manager-index.spdx.json
trust-manager-linux-amd64.spdx.json
trust-manager-linux-arm-v7.spdx.json
trust-manager-linux-arm64.spdx.json
trust-manager-linux-ppc64le.spdx.json

[inteon]

I can confirm: we have not yet implemented sbom pushing. Important to consider here:

• figure out a strategy for re-pushing the same tag (reproducible builds + sboms)
• make sure the SBOMs are still useable after the image was mutated (eg. an extra layer was added)
• verify that the SBOM also refers to the base image's SBOM and that that SBOM is retrievable