Missing SBOM image in image-refs file

[norbjd]

Hello 👋

When publishing an image with the default parameters and --image-refs=refs-file, ko publishes an image for the SBOM in KO_DOCKER_REPO. However, this image is not included in the file passed in --image-refs option. I don't know if it is intentional or not.

Minimal reproducible example:

go mod init example

cat > main.go <<EOF
package main

import "fmt"

func main() {
        fmt.Println("Hello world!")
}
EOF

# build, and check a SBOM image is published (something like $KO_DOCKER_REPO/example-***:sha256-***.sbom)
ko build . --image-refs=refs-file

grep "sbom" refs-file || echo "No SBOM included in refs-file"

In my case, this is problematic because I would like to sign the SBOM (the same way I'm signing the image). But, to retrieve the SBOM image, I have to tweak a little bit. I would have expected the SBOM image to be in refs-file, so I can rely on that file, instead of inspecting the image from the registry to retrieve the SBOM image digest.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.