feat(build): sbom

[asher]

No description provided.

[asher]

❯ cosign verify-attestation --type cyclonedx --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'edera-dev/edera-debug-report/.github/.*' ghcr.io/edera-dev/edera-debug-report-oci:latest | jq -r '.payload' | base64 -d | jq '.predicate.components[]["bom-ref"]'

Verification for ghcr.io/edera-dev/edera-debug-report-oci:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/edera-dev/edera-debug-report/.github/workflows/build-oci.yml@refs/heads/asher/sbom
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: workflow_dispatch
GitHub Workflow SHA: 02f10629f399c6704831571f9e718a1a1bf295c5
GitHub Workflow Name: build-oci-image
GitHub Workflow Repository: edera-dev/edera-debug-report
GitHub Workflow Ref: refs/heads/asher/sbom
"pkg:github/edera-dev/edera-debug-report@02f10629f399c6704831571f9e718a1a1bf295c5"
"pkg:generic/dmidecode@566922a"
"pkg:github/pciutils/pciutils@b424ac8b498317965bfd3ab33ae21b158a7f1dd2"
"pkg:generic/glibc@2.34-270.el9_8"
"pkg:generic/zlib@1.2.11-40.el9"

[bleggett]

Approving but we should actually gut this and its dependence on external C tools and just invoke sudo edera-check collect which collects the same info without external vendored binaries.

[bleggett]

This is another reason why we should just make this a script wrapper around

sudo edera-check collect - we collect the same DMI/lspci info there but with native Rust code and so we don't need to SBOM random in-tree CI binaries.