Debug sbom upload

.gitea/workflows/ci-cd.yml

@@ -139,26 +139,19 @@ jobs:
           
           echo "SBOM generated successfully"
       
-      - name: Install ORAS CLI
+      - name: Upload SBOM to Harbor
         run: |
-          ORAS_VERSION="1.2.3"
-          curl -LO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz
-          tar -xzf oras_${ORAS_VERSION}_linux_amd64.tar.gz oras
-          chmod +x oras
-          mv oras /usr/local/bin/oras
-
-      - name: Upload SBOM to Harbor via ORAS
-        run: |
-          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
-
-          # Authenticate (ensure $HARBOR_USERNAME and $HARBOR_TOKEN are exported already)
-          echo "${{ secrets.HARBOR_TOKEN }}" | oras login ${{ env.REGISTRY }} -u '${{ secrets.HARBOR_USERNAME }}' --password-stdin
-
-          # Push the SBOM attached to the image
-          oras push $IMAGE \
+          # Install ORAS
+          curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
+          tar -xzf oras_1.1.0_linux_amd64.tar.gz
+          sudo mv oras /usr/local/bin/
+          
+          # Push SBOM as an artifact to Harbor
+          oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-sbom \
             --artifact-type application/spdx+json \
-            --subject $IMAGE \
             sbom.spdx.json:application/spdx+json
+          
+          echo "SBOM uploaded successfully to Harbor"
 
   # Job 4: Image Security Scan
   # scan: