refactor: consolidate SBOM extension constants in cache package

Move SBOM file extension constants to pkg/leeway/cache/types.go to avoid
duplication across sbom.go, s3.go, and signing/upload.go.

Add SBOMSidecarExtensions() function that returns all SBOM sidecar file
extensions, ensuring consistency across the codebase.

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/cache/remote/s3.go

@@ -1446,23 +1446,11 @@ func (s *S3Cache) uploadProvenanceBundle(ctx context.Context, packageName, artif
 	}).Debug("Successfully uploaded provenance bundle to remote cache")
 }
 
-// SBOM file extensions - must match pkg/leeway/sbom.go constants
-const (
-	sbomBaseFilename           = "sbom"
-	sbomCycloneDXFileExtension = ".cdx.json"
-	sbomSPDXFileExtension      = ".spdx.json"
-	sbomSyftFileExtension      = ".json"
-)
-
 // uploadSBOMFiles uploads SBOM files to S3 with retry logic.
 // This is a non-blocking operation - failures are logged but don't fail the build.
 // SBOM files are stored alongside artifacts as <artifact>.sbom.<ext>
 func (s *S3Cache) uploadSBOMFiles(ctx context.Context, packageName, artifactKey, localPath string) {
-	sbomExtensions := []string{
-		"." + sbomBaseFilename + sbomCycloneDXFileExtension,
-		"." + sbomBaseFilename + sbomSPDXFileExtension,
-		"." + sbomBaseFilename + sbomSyftFileExtension,
-	}
+	sbomExtensions := cache.SBOMSidecarExtensions()
 
 	for _, ext := range sbomExtensions {
 		sbomPath := localPath + ext
@@ -1510,11 +1498,7 @@ func (s *S3Cache) uploadSBOMFiles(ctx context.Context, packageName, artifactKey,
 // This is a best-effort operation - missing SBOMs are expected for older artifacts.
 // SBOM files are stored alongside artifacts as <artifact>.sbom.<ext>
 func (s *S3Cache) downloadSBOMFiles(ctx context.Context, packageName, artifactKey, localPath string) {
-	sbomExtensions := []string{
-		"." + sbomBaseFilename + sbomCycloneDXFileExtension,
-		"." + sbomBaseFilename + sbomSPDXFileExtension,
-		"." + sbomBaseFilename + sbomSyftFileExtension,
-	}
+	sbomExtensions := cache.SBOMSidecarExtensions()
 
 	for _, ext := range sbomExtensions {
 		sbomPath := localPath + ext

pkg/leeway/cache/types.go

@@ -1,5 +1,12 @@
 // Package cache provides local and remote caching capabilities for build artifacts.
 //
+// SBOM Sidecar Files:
+// SBOM (Software Bill of Materials) files are stored alongside artifacts as sidecar files.
+// The naming convention is: <artifact>.<extension> where extension is one of:
+//   - .sbom.cdx.json  (CycloneDX format)
+//   - .sbom.spdx.json (SPDX format)
+//   - .sbom.json      (Syft native format)
+//
 // SLSA Verification Behavior:
 // The cache system supports SLSA (Supply-chain Levels for Software Artifacts) verification
 // for enhanced security. The behavior is controlled by the SLSAConfig.RequireAttestation field:
@@ -27,6 +34,31 @@ import (
 	"context"
 )
 
+// SBOM file format constants
+const (
+	// SBOMBaseFilename is the base filename for SBOM files (e.g., "sbom" in "artifact.sbom.cdx.json")
+	SBOMBaseFilename = "sbom"
+
+	// SBOMCycloneDXFileExtension is the extension of the CycloneDX SBOM file
+	SBOMCycloneDXFileExtension = ".cdx.json"
+
+	// SBOMSPDXFileExtension is the extension of the SPDX SBOM file
+	SBOMSPDXFileExtension = ".spdx.json"
+
+	// SBOMSyftFileExtension is the extension of the Syft SBOM file
+	SBOMSyftFileExtension = ".json"
+)
+
+// SBOMSidecarExtensions returns all SBOM sidecar file extensions.
+// These are the extensions used for SBOM files stored alongside artifacts.
+func SBOMSidecarExtensions() []string {
+	return []string{
+		"." + SBOMBaseFilename + SBOMCycloneDXFileExtension, // .sbom.cdx.json
+		"." + SBOMBaseFilename + SBOMSPDXFileExtension,      // .sbom.spdx.json
+		"." + SBOMBaseFilename + SBOMSyftFileExtension,      // .sbom.json
+	}
+}
+
 // Package represents a build package that can be cached
 type Package interface {
 	// Version returns a unique identifier for the package

pkg/leeway/sbom.go

@@ -25,6 +25,7 @@ import (
 	"github.com/anchore/syft/syft/format/syftjson"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
+	"github.com/gitpod-io/leeway/pkg/leeway/cache"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/xerrors"
@@ -39,18 +40,6 @@ const (
 
 	// EnvvarVulnReportsDir names the environment variable we take the vulnerability reports directory location from
 	EnvvarVulnReportsDir = "LEEWAY_VULN_REPORTS_DIR"
-
-	// SBOM file format constants
-	sbomBaseFilename = "sbom"
-
-	// sbomCycloneDXFileExtension is the extension of the CycloneDX SBOM file we store in the archived build artifacts
-	sbomCycloneDXFileExtension = ".cdx.json"
-
-	// sbomSPDXFileExtension is the extension of the SPDX SBOM file we store in the archived build artifacts
-	sbomSPDXFileExtension = ".spdx.json"
-
-	// sbomSyftFileExtension is the extension of the Syft SBOM file we store in the archived build artifacts
-	sbomSyftFileExtension = ".json"
 )
 
 // WorkspaceSBOM configures SBOM generation for a workspace
@@ -362,14 +351,14 @@ func writeSBOMToCache(buildctx *buildContext, p *Package, builddir string) (err
 	}
 
 	// Normalize CycloneDX
-	cycloneDXPath := artifactPath + "." + sbomBaseFilename + sbomCycloneDXFileExtension
+	cycloneDXPath := artifactPath + "." + cache.SBOMBaseFilename + cache.SBOMCycloneDXFileExtension
 	if err := normalizeCycloneDX(cycloneDXPath, timestamp); err != nil {
 		buildctx.Reporter.PackageBuildLog(p, true,
 			[]byte(fmt.Sprintf("Warning: failed to normalize CycloneDX SBOM: %v\n", err)))
 	}
 
 	// Normalize SPDX
-	spdxPath := artifactPath + "." + sbomBaseFilename + sbomSPDXFileExtension
+	spdxPath := artifactPath + "." + cache.SBOMBaseFilename + cache.SBOMSPDXFileExtension
 	if err := normalizeSPDX(spdxPath, timestamp); err != nil {
 		buildctx.Reporter.PackageBuildLog(p, true,
 			[]byte(fmt.Sprintf("Warning: failed to normalize SPDX SBOM: %v\n", err)))
@@ -392,21 +381,21 @@ func getSBOMEncoder(format string) (encoder sbom.FormatEncoder, filename string,
 		if err != nil {
 			return nil, "", xerrors.Errorf("failed to create CycloneDX encoder: %w", err)
 		}
-		fileExtension = sbomCycloneDXFileExtension
+		fileExtension = cache.SBOMCycloneDXFileExtension
 	case "spdx":
 		encoder, err = spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig())
 		if err != nil {
 			return nil, "", xerrors.Errorf("failed to create SPDX encoder: %w", err)
 		}
-		fileExtension = sbomSPDXFileExtension
+		fileExtension = cache.SBOMSPDXFileExtension
 	case "syft":
 		encoder = syftjson.NewFormatEncoder()
-		fileExtension = sbomSyftFileExtension
+		fileExtension = cache.SBOMSyftFileExtension
 	default:
 		return nil, "", xerrors.Errorf("unsupported SBOM format: %s", format)
 	}
 
-	return encoder, sbomBaseFilename + fileExtension, nil
+	return encoder, cache.SBOMBaseFilename + fileExtension, nil
 }
 
 // writeFileHandler returns a handler function for AccessSBOMInCachedArchive that writes to a file.
@@ -442,11 +431,11 @@ func ValidateSBOMFormat(format string) (bool, []string) {
 func GetSBOMFileExtension(format string) string {
 	switch format {
 	case "cyclonedx":
-		return sbomCycloneDXFileExtension
+		return cache.SBOMCycloneDXFileExtension
 	case "spdx":
-		return sbomSPDXFileExtension
+		return cache.SBOMSPDXFileExtension
 	case "syft":
-		return sbomSyftFileExtension
+		return cache.SBOMSyftFileExtension
 	default:
 		return ".json"
 	}
@@ -474,7 +463,7 @@ func AccessSBOMInCachedArchive(fn string, format string, handler func(sbomFile i
 	}
 
 	// Try reading from separate SBOM file first (new format)
-	sbomExt := "." + sbomBaseFilename + GetSBOMFileExtension(format)
+	sbomExt := "." + cache.SBOMBaseFilename + GetSBOMFileExtension(format)
 	sbomPath := fn + sbomExt
 
 	if _, statErr := os.Stat(sbomPath); statErr == nil {
@@ -497,7 +486,7 @@ func AccessSBOMInCachedArchive(fn string, format string, handler func(sbomFile i
 
 // accessSBOMInTarArchive extracts an SBOM file from inside a tar.gz archive (legacy format).
 func accessSBOMInTarArchive(fn string, format string, handler func(sbomFile io.Reader) error) error {
-	sbomFilename := sbomBaseFilename + GetSBOMFileExtension(format)
+	sbomFilename := cache.SBOMBaseFilename + GetSBOMFileExtension(format)
 
 	f, err := os.Open(fn)
 	if err != nil {

pkg/leeway/signing/upload.go

@@ -176,12 +176,7 @@ func (u *ArtifactUploader) UploadArtifactWithAttestation(ctx context.Context, ar
 // uploadSBOMFiles uploads SBOM sidecar files alongside the artifact.
 // This is a non-blocking operation - failures are logged but don't fail the upload.
 func (u *ArtifactUploader) uploadSBOMFiles(ctx context.Context, artifactPath, artifactKey string) {
-	// SBOM file extensions - must match pkg/leeway/sbom.go constants
-	sbomExtensions := []string{
-		".sbom.cdx.json",  // CycloneDX format
-		".sbom.spdx.json", // SPDX format
-		".sbom.json",      // Syft native format
-	}
+	sbomExtensions := cache.SBOMSidecarExtensions()
 
 	for _, ext := range sbomExtensions {
 		sbomPath := artifactPath + ext