feat(bom): publish container image inventory as a doc artifact

[mchmarny]

Summary

First half of #741 — publish the container image BOM as a committed doc artifact under docs/user/container-images.md with make targets to regenerate / verify freshness, and a scheduled weekly refresh workflow. The user-facing prose (explicit vs implicit, registry rationale, how to enumerate yourself, link to the JSON release artifact) lands in a follow-up so this PR stays small.

Motivation / Context

Today the BOM only exists as dist/bom/bom.md produced ad-hoc by make bom. To support customer security review and air-gap planning (#745) and the eventual provenance audit (#744), it needs to be a stable, addressable URL on the docs site. This PR makes it one.

Refs #741, #739.

Type of Change

• New feature (non-breaking change that adds functionality)
• Documentation update
• Build/CI/tooling

Component(s) Affected

• Core libraries (pkg/bom — Deterministic flag on Metadata)
• CLI tool (tools/bom — -deterministic)
• Build/tooling (Makefile — bom-docs, bom-check)
• Docs (docs/user/container-images.md, VitePress sidebar)
• Other (.github/workflows/bom-refresh.yaml)

Implementation Notes

Determinism flag. WriteMarkdown previously emitted _Generated <timestamp> for <name> <version>_ on every run, which would force the committed doc to churn on every regeneration. Added Metadata.Deterministic (off by default) that suppresses the line. The tools/bom -deterministic flag plumbs it through. Future per-bundle SBOMs in pkg/bundler (#750) will consume the same Metadata, so this is a one-time API addition.

make bom-docs / make bom-check. New targets next to the existing make bom:

• bom-docs regenerates docs/user/container-images.md from the live registry (helm-renders all chart references; needs network).
• bom-check regenerates and git diff --exit-codes the file; fails on drift with a message pointing at make bom-docs.

Scheduled refresh. .github/workflows/bom-refresh.yaml runs Mondays 06:00 UTC. Uses peter-evans/create-pull-request@v7.0.8 (SHA-pinned, matches repo conventions) to open or update chore/bom-refresh when the regenerated BOM differs from the committed copy. Catches upstream chart drift for components whose chart version isn't yet pinned (gated by #742; tracked under #749). Once every chart is pinned end-to-end, the action becomes a no-op — keeping it visible enforces that property.

Sidebar. Doc registered under User Guide next to Component Catalog.

Out of scope (follow-up). Path-filtered PR-time bom-check gate. The repo's merge-gate.yaml uses a careful real-job/skip-job pair pattern with dorny/paths-filter; wiring the BOM check there belongs in a follow-up so this PR stays focused. Until then, scheduled refresh + contributor discipline (regenerate after editing recipes) is the only enforcement.

Testing

unset GITLAB_TOKEN && make qualify
# Codebase qualification completed

Manual verification:

$ make bom-docs
Regenerating docs/user/container-images.md (helm rendering, this can take ~30s)...
bom: wrote /tmp/.../bom.cdx.json and /tmp/.../bom.md (22 components, 70 image refs)
Wrote docs/user/container-images.md

$ make bom-check
docs/user/container-images.md is up to date

pkg/bom coverage held: 87.7% with new TestWriteMarkdown_DeterministicSuppressesGenerationLine.

Initial inventory: 22 components, 70 unique images, 11 distinct registries. (Image count drops from 71 to 70 because the Docker Hub library/ canonicalization from #747 review caught a duplicate.)

Risk Assessment

• Low — Deterministic is opt-in and defaults off (no behavior change for existing callers). New Make targets and a new scheduled workflow; no existing code paths modified. Easy to revert.

Rollout notes: The committed docs/user/container-images.md becomes the canonical reference for the deployed image set. The scheduled refresh starts firing the Monday after merge.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality
• I updated docs if user-facing behavior changed (the new doc page itself)
• Changes follow existing patterns in the codebase (SHA-pinned actions, sidebar registration, deterministic-output convention)
• Commits are cryptographically signed (git commit -S)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-feat-bom-docs-automation.docs.buildwithfern.com/aicr

[github-actions]

Coverage Report ✅

Metric	Value
Coverage	75.1%
Threshold	70%
Status	Pass

Coverage Badge

![Coverage](https://img.shields.io/badge/coverage-75.1%25-green)

Merging this branch will increase overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/NVIDIA/aicr/pkg/bom	90.79% (+0.04%)	👍
github.com/NVIDIA/aicr/tools/bom	0.00% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/NVIDIA/aicr/pkg/bom/bom.go	98.04% (ø)	51	50	1
github.com/NVIDIA/aicr/pkg/bom/markdown.go	74.65% (+0.36%)	71 (+1)	53 (+1)	18	👍
github.com/NVIDIA/aicr/tools/bom/main.go	0.00% (ø)	107 (+1)	0	107 (+1)

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.