After GODRIVER-3599, the SBOM file will contain all dependencies listed in go.mod. For any changes to this file, we need to regenerate the SBOM file to ensure correct dependency reporting. This can be done manually, but for automated pull requests like those from dependabots, an automated solution would be preferred.

Using GitHub Actions, we can run a special workflow that only becomes active if go.mod is modified. The workflow would regenerate SBOM.json and commit the result. Using the credentials for the PR bot (also used for merge-up PRs) would ensure that CI runs for those commits as well.