What would you like to be added:

Given sufficient credentials and permissions (ie a GITHUB_TOKEN) we should add a flag to bom generate to push the resulting SBOM to a github release. For example

bom generate . --release-push[=[org/repo@]v1.0.2]

If nothing is specified, we can infer the org/repo and tag from the go import path and checking if the HEAD commit is tagged

Why is this needed:

This would simplify the CI workflows using bom and would also take care of other nagging smaller problems such as naming the SBOM correctly.

/assign