CLOUDP-319858: Auto-update SBOM report in codebase

[blva]

Proposed changes

Jira ticket: CLOUDP-319858

• Keeps the SBOM in artifacts, but, after release, updates the repository SBOM report under the compliance folder : e.g. compliance/v1.42.2/
• The report then links to the sbom release artifact in https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json`

Checklist

• I have signed the MongoDB CLA
• I have added tests that prove my fix is effective or that my feature works
• I have added any necessary documentation in document requirements section listed in CONTRIBUTING.md (if appropriate)
• I have addressed the @mongodb/docs-cloud-team comments (if appropriate)
• I have updated test/README.md (if an e2e test has been added)
• I have run make fmt and formatted my code

Further comments

[github-actions]

Coverage Report 📈

Branch	Commit	Coverage
master	4e33829	25.1%
CLOUDP-319858	4882767	25.1%
	Difference	0%

[andreaangiolillo]

Is there a risk that gen-ssdlc-report.sh run on a codebase that no longer reflect the tag? What I mean here is that I don't see any step where you are getting the CLI codebase at the release tag so the ssdlc report may includes code changes that were merged after the release tag was created.

[solution] I think you should update the checkout step to download the codebase at the release tag

[blva]

includes code changes that were merged after the release tag was created.

good point, but since the report simply links to the tag link I think it will always show the sbom report that was generated upon tag release, right?

[andreaangiolillo]

ah, I don't know what gen-ssdlc-report.sh does 😅 Feel free to ignore the comment if the script does not actually do anything related to the codebase.

[blva]

not for now, but its a good point! thanks

[andreaangiolillo]

LGTM

[cveticm]

LGTM! Moving the report on-release to a GH action should make for a great foundation for the on-demand augmented report!