fix(sbom): attest digest instead of tag

      log_info "Syft version:"

      /syft version

    - mkdir -p -m 777 reports

    - echo "{{.source.name}}@sha256:{{.source.id}}" > .img-digest.tmpl

    - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')

    - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json

    - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json -t .img-digest.tmpl -o template=.img-digest.txt

    - chmod a+r reports/docker-sbom-${basename}.cyclonedx.json

    - |

      if [[ ${DOCKER_COSIGN_STRATEGY} == "onrelease" ]] || [[ ${DOCKER_COSIGN_STRATEGY} == "always" ]]

      then

        log_info "Attaching attested SBOM to ${DOCKER_SNAPSHOT_IMAGE}..."

        docker_image_digest=$(cat .img-digest.txt)

        log_info "Attaching attested SBOM to ${docker_image_digest}..."

        install_cosign

        configure_cosign_private_key

        $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${DOCKER_SNAPSHOT_IMAGE}

        $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${docker_image_digest}

      fi

  artifacts:

    name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"