feat: publish and review SBOM

[rjaegers]

This feature adds SBOM generation and publishing to the container in several places next to the already available in-toto attestation.

• As a release artifact
• As a workflow artifact

Additionally the dependency review action is used to review dependencies for license issues or vulnerabilities.

[github-actions]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ ACTION	actionlint	10		0	0.15s
✅ DOCKERFILE	hadolint	1		0	0.36s
✅ JSON	eslint-plugin-jsonc	7	0	0	7.15s
✅ JSON	prettier	7	0	0	0.56s
✅ JSON	v8r	7		0	4.42s
✅ MARKDOWN	markdownlint	3	0	0	0.91s
✅ MARKDOWN	markdown-link-check	3		0	4.43s
✅ MARKDOWN	markdown-table-formatter	3	0	0	0.34s
✅ REPOSITORY	checkov	yes		no	27.45s
✅ REPOSITORY	dustilock	yes		no	0.04s
✅ REPOSITORY	gitleaks	yes		no	0.33s
✅ REPOSITORY	git_diff	yes		no	0.01s
✅ REPOSITORY	grype	yes		no	14.1s
✅ REPOSITORY	secretlint	yes		no	1.57s
✅ REPOSITORY	syft	yes		no	0.33s
✅ REPOSITORY	trivy	yes		no	7.14s
✅ REPOSITORY	trivy-sbom	yes		no	1.34s
✅ REPOSITORY	trufflehog	yes		no	8.86s
✅ SPELL	lychee	30		0	1.2s
✅ YAML	prettier	12	0	0	1.02s
✅ YAML	v8r	12		0	9.46s
✅ YAML	yamllint	12		0	0.63s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by

[github-actions]

Test Results

15 tests  ±0   15 ✔️ ±0   12m 20s ⏱️ - 4m 37s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 79a750d. ± Comparison against base commit 43df025.

♻️ This comment has been updated with latest results.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Manifest Files

.github/workflows/build-push.yml

• actions/dependency-review-action@6c5ccda
• anchore/sbom-action@78fc58e
• crazy-max/ghaction-container-scan@3e9c23f

[github-actions]

Pull Request Report (#186)

Static measures

Description	Value
Number of added lines	10
Number of deleted lines	2
Number of changed files	2
Number of commits	6
Number of reviews	1
Number of comments (w/o review comments)	3
Number of reviews that contains a comment to resolve	0
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	3

Time related measures

Description	Value
PR lead time (from creation to close of PR)	6.3 Hours
Time that was spend on the branch before the PR was created	45 Sec
Time that was spend on the branch before the PR was merged	6.3 Hours
Time to merge after last review	4.6 Hours

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	25.4 Min
Total time spend in last status check run on PR	14.2 Min