let putting SBOMs in a different repository

[developer-guy]

We can enable putting SBOMs in a different repository by creating another environment variable or a new configuration option.

# via environment variable
SBOM_REPOSITORY=<repo> ko build ..

# via the configuration file
.ko.yaml:
sbomRepository: <repo> 

cc: @Dentrax

🗣 Based on the talk: https://kubernetes.slack.com/archives/C032MM2CH7X/p1662936574448189
🧵 Cross-ref: kyverno/kyverno#4592

[developer-guy]

we are willing to do this ☝️

[imjasonh]

I assume we'll want to push other non-SBOM things as attachments too (#357, #679), so we should come up with a name that reflects that better than SBOM_REPOSITORY. But otherwise this should be fairly straightforward, and we can start writing code and figure out the name later.

Prior art: COSIGN_REPOSITORY

[developer-guy]

Here are the questions:

• What do you suggest for naming? Should I go with COSIGN_REPOSITORY?

• Should we make it configurable via the configuration file .ko.yaml or will it only be supported through an environment variable?

[imjasonh]

• What do you suggest for naming? Should I go with COSIGN_REPOSITORY?

COSIGN_REPOSITORY doesn't make sense if the user isn't aware of what cosign is.

ATTACHMENT_REPOSITORY maybe? AUX_REPOSITORY?

We could also lean in to SBOM_REPOSITORY for now, and just know that we'll end up having separate SIGNATURE_REPOSITORY, ATTESTATION_REPOSITORY, etc, env vars in the future, with some overriding XXX_REPOSITORY env var that we can name later when we're (presumably) smarter.

• Should we make it configurable via the configuration file .ko.yaml or will it only be supported through an environment variable?

Let's start with an env var, and promote it to a config option once we have the code in place (and a name 🙃)