Debug sbom upload

.gitea/workflows/ci-cd.yml

@@ -143,11 +143,20 @@ jobs:
           
           echo "SBOM generated successfully"
 
-      - name: Upload SBOM
+      - name: Upload SBOM to Harbor via ORAS
-        uses: actions/upload-artifact@v3
+        run: |
-        with:
+          curl -sSL https://install.oras.land/install.sh | sh -s -- -b /usr/local/bin
-          name: sbom
+
-          path: sbom.spdx.json
+          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+
+          # Authenticate (ensure $HARBOR_USERNAME and $HARBOR_TOKEN are exported already)
+          echo "${{ secrets.HARBOR_TOKEN }}" | oras login ${{ env.REGISTRY }} -u '${{ secrets.HARBOR_USERNAME }}' --password-stdin
+
+          # Push the SBOM attached to the image
+          oras push $IMAGE \
+            --artifact-type application/spdx+json \
+            --subject $IMAGE \
+            sbom.spdx.json:application/spdx+json
 
   # Job 4: Image Security Scan
   # scan: