Docker builds should have provenance added - with SBOMΒ #102
Description
We should strive to get a great score for our Docker build security.
Builds should have provenance added - with SBOM.
We should figure out how to do the multi-platform build with provenance and bill of materials to improve the GizmoSQL container security score.
Build time is a major consideration - using QEMU emulation builds can take a VERY long time, which is why we build natively on arm64 runners from buildjet.
We currently build the image architectures on separate runners, and merge the manifest in DockerHub later - this makes provenance more difficult - but perhaps there is an easy way to do it...