chore: add annotations to manifest (#201)

* chore: add test annotation to manifest

* chore: correct annotation syntax

* chore: derive manifest labels from metadata action

* chore: correct syntax for GITHUB_OUTPUT

* chore: fixing shell issue

* chore: more shell fixing

* chore: more shell fun

* chore: more shell fun

* chore: more shell fun

* chore: satisfy linter

* chore: try to use derived image name

* chore: don't scan images that are not pushed to the registry

.github/workflows/build-push.yml

@@ -42,6 +42,11 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
+      - run: |
+          set -Eeuo pipefail
+          ANNOTATIONS=$(echo '${{ steps.meta.outputs.labels }}' | sed 's/org.opencontainers.image./annotation-index.org.opencontainers.image./' | tr '\n' ',')
+          echo "annotations=${ANNOTATIONS::-1}" >> "$GITHUB_OUTPUT"
+        id: annotations
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -58,12 +63,13 @@ jobs:
           push: ${{ github.event_name != 'merge_group' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,${{ steps.annotations.outputs.annotations }}
           sbom: true
           provenance: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
       - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
-        if: ${{ steps.build-and-push.outputs.digest != '' }}
+        if: ${{ steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group' }}
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }}
           dependency-snapshot: true