feat: sbom generation ubuntu and nix packages

Author: samrose

.github/workflows/ami-release-nix.yml

@@ -137,6 +137,17 @@ jobs:
             -e "postgres_major_version=${{ env.POSTGRES_MAJOR_VERSION }}" \
             manifest-playbook.yml
 
+      - name: Upload SBOM to s3 staging
+        run: |
+          PG_VERSION=${{ steps.process_release_version.outputs.version }}
+          if [ -f "ubuntu-sbom-${PG_VERSION}.spdx.json" ]; then
+            aws s3 cp "ubuntu-sbom-${PG_VERSION}.spdx.json" \
+              "s3://${{ secrets.ARTIFACTS_BUCKET }}/manifests/postgres-${PG_VERSION}/sbom.spdx.json"
+            echo "SBOM uploaded to staging"
+          else
+            echo "Warning: SBOM file not found, skipping upload"
+          fi
+
       - name: Upload nix flake revision to s3 staging
         run: |
           aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
@@ -157,7 +168,18 @@ jobs:
             -e "internal_artifacts_bucket=${{ secrets.PROD_ARTIFACTS_BUCKET }}" \
             -e "postgres_major_version=${{ env.POSTGRES_MAJOR_VERSION }}" \
             manifest-playbook.yml
-    
+
+      - name: Upload SBOM to s3 prod
+        run: |
+          PG_VERSION=${{ steps.process_release_version.outputs.version }}
+          if [ -f "ubuntu-sbom-${PG_VERSION}.spdx.json" ]; then
+            aws s3 cp "ubuntu-sbom-${PG_VERSION}.spdx.json" \
+              "s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/manifests/postgres-${PG_VERSION}/sbom.spdx.json"
+            echo "SBOM uploaded to prod"
+          else
+            echo "Warning: SBOM file not found, skipping upload"
+          fi
+
       - name: Upload nix flake revision to s3 prod
         run: |
           aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz