CLOUDP-321185: fix sbom not included in release (#3927)

Author: cveticm

build/ci/release.yml

@@ -100,15 +100,15 @@ functions:
       params:
         shell: bash
         script: |
-          docker run \
+          podman run \
           --pull=always \
           --platform="linux/amd64" \
           --rm \
           --env-file ${workdir}/kondukto_credentials.env \
           -v ${workdir}:/workdir \
           901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
           upload \
-          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \
+          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/sbom.json \
           --repo mongodb_mongodb-atlas-cli  \
           --branch ${branch_name}  
           rm ${workdir}/kondukto_credentials.env
@@ -253,6 +253,7 @@ functions:
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.json
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.msi
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.sig
+          - src/github.com/mongodb/mongodb-atlas-cli/sbom.json
         remote_file: ${project}/dist/${revision}_${created_at}/
         bucket: mongodb-mongocli-build
         permissions: public-read
@@ -391,16 +392,14 @@ tasks:
           permissions: public-read
           content_type: ${content_type|application/octet-stream}
           display_name: unsigned
-  - name: generate_and_upload_sbom
-    commands:  
-      - func: "generate sbom"
-      - func: "run silkbomb"
   - name: package_goreleaser
     tags: ["packaging"]
     depends_on:
       - name: compile
         variant: "code_health"
     commands:
+      - func: "generate sbom"
+      - func: "run silkbomb"
       - func: "generate notices"
       - func: "install goreleaser"
       - func: "install macos notarization service"
@@ -588,8 +587,6 @@ buildvariants:
         depends_on:
           - name: package_msi
             variant: "go_atlascli_msi_snapshot"
-          - name: generate_and_upload_sbom
-            variant: ssdlc
   - name: publish_atlascli_snapshot
     display_name: "Publish AtlasCLI Snapshot"
     run_on:
@@ -615,8 +612,6 @@ buildvariants:
         depends_on:
           - name: package_msi
             variant: release_atlascli_msi
-          - name: generate_and_upload_sbom
-            variant: ssdlc
   - name: copybara
     display_name: "Copybara"
     git_tag_only: true
@@ -669,11 +664,3 @@ buildvariants:
       - ubuntu2004-small
     tasks:
       - name: .smoke-test .generate .repo .atlascli
-  - name: ssdlc
-    display_name: Compliance [ssdlc]
-    run_on:
-      - ubuntu2204-small
-    expansions:
-      <<: *go_linux_version
-    tasks:
-      - name: generate_and_upload_sbom

build/package/.goreleaser.yml

@@ -142,5 +142,5 @@ release:
   name_template: "MongoDB Atlas CLI {{.Version}}"
   extra_files:
     - glob: ./bin/*.msi
-    - glob: compliance/**/*
+    - glob: ./sbom.json
 version: 2

build/package/generate-sbom.sh

@@ -19,13 +19,13 @@ set -Eeou pipefail
 export WORKDIR=${workdir:?}
 
 # Authenticate Docker to AWS ECR
-aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
+aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
 
 echo "Generating SBOMs..."
-docker run --rm \
+podman run --rm \
   -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \
   901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
   update \
   --purls /pwd/build/package/purls.txt \
-  --sbom-out /pwd/compliance/sbom.json
+  --sbom-out /pwd/sbom.json