Verify oci images with SBOM attachments

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

.github/workflows/image-build.yml

@@ -114,7 +114,7 @@ jobs:
           oras attach --artifact-type sbom/cyclonedx ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }} ./sbom-oci-image.cdx.json:application/json
           oras discover --format tree ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }}
         continue-on-error: true
-        if: ${{ ! fromJSON(inputs.image).cdxgen-image.skip-tags }}
+        if: ${{ startsWith(github.ref, 'refs/tags/') && ! fromJSON(inputs.image).cdxgen-image.skip-tags }}
         env:
           SBOM_SIGN_ALGORITHM: RS512
           SBOM_SIGN_PRIVATE_KEY: ${{ github.workspace }}/private.key