fix: SBOM attestation and cosign identity matching

[mikkeldamsgaard]

Summary

• SBOM attestation: Fix null predicate for multi-platform images by using (index .SBOM "linux/amd64").SPDX instead of .SBOM.SPDX — the SBOM is keyed by platform in multi-arch manifests.
• Cosign identity matching: Use --certificate-identity with the exact tag ref (e.g. @refs/tags/v2.0.0) instead of a glob pattern (v*) which cosign does not support. The Makefile constructs the exact ref from the VERSION parameter.

How to verify

# Makefile target works with exact identity matching
make verify-image VERSION=2.0.0

# SBOM attestation will work after next release tag push

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR fixes release artifact verification for multi-arch images by correcting SBOM extraction in the release workflow and updates cosign verification instructions/targets to use regex-based certificate identity matching.

Changes:

• Fix SBOM attestation generation for multi-platform images by selecting the platform-keyed SBOM entry (linux/amd64) in the Buildx inspect template.
• Update cosign verification commands (docs + Makefile) to use --certificate-identity-regexp instead of --certificate-identity (glob patterns aren’t supported).
• Document the above in the Unreleased changelog.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
docs/security.md	Switches verification examples to --certificate-identity-regexp for tag-based identities.
Makefile	Updates verify-image target to use --certificate-identity-regexp and a new regexp variable.
CHANGELOG.md	Adds Unreleased notes describing the SBOM and cosign identity fixes.
.github/workflows/release.yml	Fixes SBOM predicate extraction for multi-arch image manifests by indexing the SBOM by platform.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.