fix(sbom): enforce sbom-only version sources across docs site

[castrojo]

Make SBOM attestations the authoritative source for kernel, GNOME, Mesa, and Fedora across driver, images, and changelog surfaces while keeping NVIDIA as the explicit fallback workaround.

Refs: #35 #38 #50 #52 #57

Assisted-by: Claude Sonnet 4.6 via GitHub Copilot

[gemini-code-assist]

Code Review

This pull request transitions the package version discovery process from parsing release descriptions and HTML tables to utilizing SBOM attestation data. Key changes include a more robust GHCR manifest resolution process with token caching and retry logic, as well as updates to frontend components to source version information directly from the SBOM cache. Feedback from the review highlights a regression in release link specificity and raises significant performance concerns regarding the direct import of large JSON datasets into the frontend bundle, which may lead to excessive bundle bloat and slower page loads.

[gemini-code-assist]

This change introduces a regression in link specificity. Previously, each row in the driver versions table linked directly to the specific GitHub release notes for that tag. Now, for SBOM-sourced releases, it links to the general repository releases page. This makes it harder for users to find the relevant changelog for a specific version. To fix this, the fetch-github-sbom.js script should be updated to capture and store the html_url for each release, allowing this field to be populated with the specific release link.

[gemini-code-assist]

Importing sbom-attestations.json directly into the frontend bundle is a significant performance concern. This JSON file contains the allPackages field for every release, which includes a full inventory of RPMs (potentially thousands of entries per release). This will bloat the JavaScript bundle by several megabytes, impacting page load times and memory usage on the client.

Since the allPackages data is only intended for build-time scripts (like fetch-firehose.js), it should be excluded from the JSON file consumed by the frontend, or this component should fetch the data dynamically via fetch() to avoid including it in the main bundle.

[gemini-code-assist]

Changing the data loading strategy from an asynchronous fetch() in useEffect to a direct import causes the entire images.json dataset to be baked into the main JavaScript bundle. This increases the initial payload size for all users, even those who do not visit the images catalog page. It is recommended to stick with the previous fetch() approach or use dynamic imports to keep the data out of the critical path.

  const [catalog, setCatalog] = React.useState<ImagesCatalog>({ products: [] });

  React.useEffect(() => {
    let mounted = true;
    fetch("/data/images.json")
      .then((response) => (response.ok ? response.json() : null))
      .then((data) => {
        if (!mounted || !data || !Array.isArray(data.products)) return;
        setCatalog(data as ImagesCatalog);
      })
      .catch(() => {
        if (!mounted) return;
        setCatalog({ products: [] });
      });
    return () => { mounted = false; };
  }, []);