chore: Onboard to Silkbomb to generate SSDLC reports, SBOM and generate augmented SBOM on demand

[oarbusi]

Description

Link to any related issue(s): CLOUDP-325296

Type of change:

• Bug fix (non-breaking change which fixes an issue). Please, add the "bug" label to the PR.
• New feature (non-breaking change which adds functionality). Please, add the "enhancement" label to the PR. A migration guide must be created or updated if the new feature will go in a major version.
• Breaking change (fix or feature that would cause existing functionality to not work as expected). Please, add the "breaking change" label to the PR. A migration guide must be created or updated.
• This change requires a documentation update
• Documentation fix/enhancement

Required Checklist:

• I have signed the MongoDB CLA
• I have read the contributing guides
• I have checked that this change does not generate any credentials and that they are NOT accidentally logged anywhere.
• I have added tests that prove my fix is effective or that my feature works per HashiCorp requirements
• I have added any necessary documentation (if appropriate)
• I have run make fmt and formatted my code
• If changes include deprecations or removals I have added appropriate changelog entries.
• If changes include removal or addition of 3rd party GitHub actions, I updated our internal document. Reach out to the APIx Integration slack channel to get access to the internal document.

Further comments

[Copilot]

Pull Request Overview

This PR onboards Silkbomb for SSDLC and SBOM generation by adding a suite of compliance scripts, updating the Makefile targets, and enhancing GitHub workflows to support both standard and augmented report generation.

• Introduces new compliance scripts for generating SBOM, PURLs, and SSDLC compliance reports.
• Updates Makefile with additional phony targets to integrate these scripts into the build process.
• Modifies GitHub workflows to automate SBOM upload and SSDLC report generation.

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
templates/ssdlc-compliance.template.md	New Markdown template for SSDLC compliance reporting.
scripts/compliance/upload-sbom.sh	Script for uploading SBOM using Docker.
scripts/compliance/gen-ssdlc-report.sh	Script to generate SSDLC reports with conditional augmented report.
scripts/compliance/gen-sbom.sh	Script to generate SBOM using Docker.
scripts/compliance/gen-purls.sh	Script to generate PURLs from Go binaries across multiple OS platforms.
scripts/compliance/extract-purls.sh	Helper script to extract package information from Go binaries.
scripts/compliance/augment-sbom.sh	Script to augment the SBOM with additional repository branch detail.
Makefile	Updated with new phony targets for compliance-related scripts.
.github/workflows/release.yml	Modified to include a compliance job for SBOM upload and SSDLC report generation.
.github/workflows/generate-augmented-sbom.yml	New workflow to run the augmented SBOM generation and report creation.

[lantoli]

SHA in all GHA

[oarbusi]

done! I keep copy pasting the same (wrong) actions

[lantoli]

can i depends on release on needs something from compliance?

[oarbusi]

ssdlc report references sbom.json uploaded in the compliance step, so depends on compliance step

[lantoli]

thanks, similar to question in another PR, is it better in different jobs or steps in the same job?