[FEAT] Retrieve SBOM from image manifest if it exists

[aptalca]

Is this a new feature request?

• I have searched the existing issues

Wanted change

Most of our images should now be including the SBOM as an attestation layer in the manifest. It would be great if the ci container used the existing SBOM from the image instead of running the syft container every time.

Some images don't include the SBOM so we would still need the syft container as a fallback.

Reason for change

Syft container is finicky and sometimes takes a very long time if the image is large and prone to timing out.

Proposed code change

Spad has all the details about how to check for existing SBOM and how to retrieve it.

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.