feat(catalog): declare artifacts.reports.cyclonedx (GitLab Dependency List ingestion)

Andrew Dunnrequested to merge
feat/v2.5.0-sbom-ingestion into main

Summary

Catalog v2.5.0 closes an Ultimate-features gap: the CycloneDX SBOMs the catalog already produces and cosign-attests are now ALSO fed into GitLab's Dependency List via `artifacts.reports.cyclonedx`.

Pre-v2.5.0: the SBOM lived as a plain `paths` artifact and a cosign attestation against the image digest. External auditors could verify it via cosign; GitLab maintainers couldn't see it in the Dependency Management UI.

Post-v2.5.0: dual channels for dual audiences.

Changed

  • `binary` -- `reports.cyclonedx` matches `dist/.sbom.cdx.json` (cargo-cyclonedx default naming) and `dist/-sbom.cdx.json` (consumer variations).
  • `container-sbom` -- `reports.cyclonedx` on the syft-generated `dist/sbom/sbom.cdx.json`.

No spec changes; no input changes. Consumers pinning `@v2.5.0` pick up the ingestion automatically — no consumer-side YAML needed.

Test plan

  • MR pipeline green (lint + syntax)
  • After tag: consumer that already uses `binary` (assay/posture/ manifold/tach) shows its CycloneDX deps in Dependency List
  • After tag: consumer that uses `container-sbom` (kaniko) shows its container deps in Dependency List

Merge request reports