fix: respect Docker export mode in SBOM generation

SBOM generation was not checking the LEEWAY_DOCKER_EXPORT_TO_CACHE
environment variable, causing it to always use the Docker daemon path
even when SLSA was enabled and images were exported as OCI layout.

The issue: buildDocker() calls determineDockerExportMode() which checks
the environment variable and CLI flags, but writeSBOM() only checked
p.Config.ExportToCache (which is nil when not explicitly set in BUILD.yaml).

This fix makes writeSBOM() use the same precedence logic:
1. Package config (if explicitly set)
2. Environment variable (LEEWAY_DOCKER_EXPORT_TO_CACHE)
3. CLI flag (--docker-export-to-cache)

Additionally, for the Docker daemon path, explicitly configure syft to
use the 'docker' source provider to avoid ambiguity when the image tag
is a content hash.

Fixes the CI failure in gitpod-next PR #11869 where SLSA is enabled
via workflow but SBOM generation was trying to scan from Docker daemon
instead of the OCI layout.

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/sbom.go

@@ -240,8 +240,25 @@ func writeSBOM(buildctx *buildContext, p *Package, builddir string) (err error)
 			return xerrors.Errorf("package should have Docker config")
 		}
 
+		// Determine if OCI export is enabled using the same logic as buildDocker
+		// Check: package config > environment variable > default
+		exportToCache := false
+		if cfg.ExportToCache != nil {
+			// Package explicitly sets exportToCache
+			exportToCache = *cfg.ExportToCache
+		} else {
+			// Check environment variable (set by SLSA or user)
+			envExport := os.Getenv(EnvvarDockerExportToCache)
+			exportToCache = (envExport == "true" || envExport == "1")
+		}
+		
+		// Override with CLI flag if set
+		if buildctx.DockerExportSet {
+			exportToCache = buildctx.DockerExportToCache
+		}
+
 		// Check if OCI layout export is enabled
-		if cfg.ExportToCache != nil && *cfg.ExportToCache {
+		if exportToCache {
 			// OCI layout path - scan from oci-archive
 			buildctx.Reporter.PackageBuildLog(p, false, []byte("Generating SBOM from OCI layout\n"))
 
@@ -266,7 +283,10 @@ func writeSBOM(buildctx *buildContext, p *Package, builddir string) (err error)
 				return xerrors.Errorf("failed to get package version: %w", err)
 			}
 
-			src, err = syft.GetSource(context.Background(), version, nil)
+			// Use explicit source provider configuration to ensure docker daemon is used
+			// The version is a content hash that exists as a tag in the local Docker daemon
+			srcCfg := syft.DefaultGetSourceConfig().WithSources("docker")
+			src, err = syft.GetSource(context.Background(), version, srcCfg)
 			if err != nil {
 				return xerrors.Errorf("failed to get Docker image source for SBOM generation: %w", err)
 			}