Merge branch 'feat/sbom-go-image' into 'master'

| --------------------- | -------------------------------------- | ----------------- |

| `sbom-disabled` / `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |

| `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GO_SBOM_DISABLED` takes precedence | `onrelease` |

| `sbom-image` / `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_SBOM_IMAGE) |

| `sbom-image` / `GO_SBOM_IMAGE` | Specific Docker image used to run cyclonedx-gomod | `$GO_IMAGE` |

| `sbom-opts` / `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |

:warning: if you don't have your main class located at the root of your `GO_PROJECT_DIR`, then you will need to override the `-main` option in `GO_SBOM_OPTS` and define your real main class location.

        },

        {

          "name": "GO_SBOM_IMAGE",

          "default": "registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest"

          "description": "Specific Docker image used to run cyclonedx-gomod",

          "advanced": true,

          "default": "$GO_IMAGE"

        },

        {

          "name": "GO_SBOM_OPTS",

      type: boolean

      default: false

    sbom-image:

      default: registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest

      description: Specific Docker image used to run cyclonedx-gomod

      default: '$GO_IMAGE'

    sbom-opts:

      description: '[@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis'

      default: -main .

  image:

    name: $GO_SBOM_IMAGE

    entrypoint: [""]

  # manage separate GitLab cache to prevent permission denied error (this image being rootless, it can't rewrite Go cache - owned by root)

  # manage separate GitLab cache to prevent permission denied error (cyclonedx-gomod image being rootless, it can't rewrite Go cache - owned by root)

  # see: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29663

  cache:

    key: "$CI_COMMIT_REF_SLUG-golang-sbom"

  dependencies: []

  needs: []

  script:

    - command -v cyclonedx-gomod > /dev/null || go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest

    - mkdir -p -m 777 reports

    - go_mode=$(go_build_mode)

    - |

      cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS

    - cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS

    - chmod a+r reports/go-sbom.cyclonedx.json

  artifacts:

    name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"