CDRIVER-5904 update scripts and release instructions for SilkBomb 2.0

[eramongodb]

Resolves CDRIVER-5904 for the master branch (EVG project: mongo-c-driver). Verified by this patch. Followup to #1875.

Applies similar changes to mongodb/mongo-cxx-driver#1344 but for the C Driver. Unlike the C++ Driver, the C Driver's sbom task only performs validate + augment and simply uploads the Augmented SBOM file (no diffs) so it may be examined and downloaded during release steps when needed.

Due to the current inability to download the Augmented SBOM outside of Evergreen with SilkBomb 2.0, the +sbom-download target and related commands, flags, and instructions are removed. In their place, a new release requirement is that etc/augmented-sbom.json is present when running +release-archive or +signed-release (this file does not need to be committed into the repo, it just needs to be present).

This file must be downloaded from a recent execution of the sbom task (a patch build is OK!) during the release process prior to executing +release-archive or +signed-release. If the Augmented SBOM is not present, the COPY command in +release-archive will fail with the following error (paraphrased for brevity):

prefix=[...] ref=HEAD
--> COPY etc/augmented-sbom.json cyclonedx.sbom.json
[no output]
ERROR Earthfile:202:4
      The command
          COPY etc/augmented-sbom.json cyclonedx.sbom.json
      failed: failed to walk [...]/etc: lstat [...]/etc: no such file or directory

The +sbom-update and the new +sbom-validate Earthly commands do not require being run inside Evergreen.

[vector-of-bool]

LGTM with minor tweaks. The failing tasks appear to be unrelated caused by flakiness in the docker hub gateway (sad).

[vector-of-bool]

Can delete the ARG sbom_branch above since it is now unused.

[vector-of-bool]

This FROM line can be deleted since the next line overrides it immediately. It looks like the duplicate FROM was present in the prior version. That was a mistake.

[vector-of-bool]

Suggested change

	3. Download a recent augmented SBOM from Evergreen and save it to `etc/augmented-sbom.json`.
	3. Download a recent augmented SBOM from Evergreen, created by the standalone `sbom` task in the "SBOM" variant, and save it to `etc/augmented-sbom.json`.

[vector-of-bool]

I assume that silk asset groups are no longer required with Silkbomb 2?

[eramongodb]

Correct. The --repo and --branch flags are now sufficient to associate uploaded/augmented SBOMs with a given project and branch. Asset group management is no longer necessary. 👏

[vector-of-bool]

Is jq actually required? It doesn't appear to be used.

[eramongodb]

It is not (used for diffs in the C++ Driver, which are not present here).

[vector-of-bool]

This could be moved to an Earthfile task, but would require another step to auth podman/Docker with Artifactory. It's fine as a standalone script since it's fairly trivial.

[eramongodb]

Added the +sbom-generate-new-serial-number Earthly target, which may be used to generate a new unique serial number and reset the SBOM version to 1 following a release via the new SilkBomb 2.0 --generate-new-serial-number flag.

[vector-of-bool]

I think this docs line may fail, requiring two backticks around --generate-new-serial-number. Recommend testing docs changes with make -C docs/dev serve.

[eramongodb]

Good catch and thank you for the tip. Testing doc generation caught additional obsolete references to the old +sbom-download target. Inspected the generated HTMLs and updated accordingly.

[kevinAlbs]

Suggested change

	The augmented SBOM is produced automatically and asynchronously as part of an
	external process that is not contained within the repository itself. The
	The augmented SBOM is produced as part of an
	external process that is not contained within the repository itself. The

I expect producing the augmented SBOM is no longer asynchronous with the silkbomb augment command.