added signed artifacts and SBOM generation capabilities

cmd/forgebucket/main.go

@@ -20,6 +20,8 @@ import (
 	"github.com/forgeo/forgebucket/internal/domain/ci"
 	gitdomain "github.com/forgeo/forgebucket/internal/domain/git"
 	"github.com/forgeo/forgebucket/internal/domain/gitops"
+	"github.com/forgeo/forgebucket/internal/domain/sbom"
+	"github.com/forgeo/forgebucket/internal/domain/signing"
 	"github.com/forgeo/forgebucket/internal/events"
 	"github.com/forgeo/forgebucket/internal/observability"
 	"github.com/forgeo/forgebucket/internal/models/migrations"
@@ -78,9 +80,27 @@ func main() {
 	gitopsCtrl := gitops.NewController(engine, bus, cfg)
 	go gitopsCtrl.Start(ciCtx)
 
+	sbomGen := sbom.NewGenerator(engine, bus)
+	go sbomGen.Start(ciCtx)
+
 	go observability.StartNATSWatcher(ciCtx, bus)
 
-	handler := api.New(cfg, engine, store, bus, cfg.ArtifactRoot, web.FS())
+	// Initialise artifact signing key store.
+	var keyStore *signing.KeyStore
+	if cfg.ArtifactSigningKey != "" {
+		keyStore, err = signing.New(cfg.ArtifactSigningKey)
+		if err != nil {
+			log.Fatalf("signing: %v", err)
+		}
+	} else {
+		keyStore, err = signing.Generate()
+		if err != nil {
+			log.Fatalf("signing: %v", err)
+		}
+	}
+	log.Printf("signing: key store initialised (keyId=%s)", keyStore.KeyID())
+
+	handler := api.New(cfg, engine, store, bus, cfg.ArtifactRoot, web.FS(), *keyStore, sbomGen)
 
 	srv := &http.Server{
 		Addr:         fmt.Sprintf(":%s", cfg.Port),