chore: generate sbom for the released docker image (#8338)

Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com>

.github/workflows/release.yaml

@@ -292,19 +292,31 @@ jobs:
       - name: Generate SBOM (spdx)
         id: spdx-builder
         env:
-          # defines the https://github.com/opensbom-generator/spdx-sbom-generator
-          # to use.
+          # defines the spdx/spdx-sbom-generator version to use.
           SPDX_GEN_VERSION: v0.0.13
+          # defines the sigs.k8s.io/bom version to use.
+          SIGS_BOM_VERSION: v0.2.1
           # comma delimited list of project relative folders to inspect for package
           # managers (gomod, yarn, npm).
           PROJECT_FOLDERS: ".,./ui" 
+          # full qualified name of the docker image to be inspected
+          DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
         run: |
           wget -q https://github.com/opensbom-generator/spdx-sbom-generator/releases/download/$SPDX_GEN_VERSION/spdx-sbom-generator-$SPDX_GEN_VERSION-linux-386.tar.gz -O generator.tar.gz
           tar -zxf generator.tar.gz
+          go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION
+
+          # Generate SPDX for project dependencies analyzing package managers
           for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
           do
             ./spdx-sbom-generator -p $folder -o /tmp
           done
+
+          # Generate SPDX for binaries analyzing the docker image
+          if [[ ! -z $DOCKER_IMAGE ]]; then
+            bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
+          fi
+
           tar -zcf /tmp/sbom.tar.gz /tmp/*.spdx
         if: ${{ env.DRY_RUN != 'true' }}