fix: Upload sbom (#175)

* chore: Upload sbom to release

Signed-off-by: Justin Abrahms <[email protected]>

* chore: Exclude signed releases since we don't use github releases for distribution

Signed-off-by: Justin Abrahms <[email protected]>

Signed-off-by: Justin Abrahms <[email protected]>

Author: justinabrahms

.clomonitor.yml

@@ -0,0 +1,10 @@
+
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+
+# Check identifiers are here https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions (look for "id")
+exemptions:
+  - check: signed_releases
+    reason: "Our releases are signed in GHCR via cosign"

.github/workflows/release-please.yml

@@ -128,4 +128,4 @@ jobs:
               config/webhook/certificate.yaml
               config/rendered/release.yaml
               config/samples/end-to-end.yaml
-
+              ${{ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT}}