Test oras sbom attach

Signed-off-by: Prabhu Subramanian <[email protected]>

.github/workflows/npm-release.yml

@@ -86,6 +86,14 @@ jobs:
         labels: ${{ steps.meta.outputs.labels }}
         cache-from: type=gha,scope=cdxgen
         cache-to: type=gha,mode=max,scope=cdxgen
+    - name: Attach cdx sbom
+      run: |
+        npm install
+        node bin/cdxgen.js --generate-key-and-sign -t docker -o bom.json --deep ghcr.io/cyclonedx/cdxgen
+        oras attach --artifact-type sbom/cyclonedx --image-spec v1.1-artifact ghcr.io/cyclonedx/cdxgen:${{ steps.meta.outputs.tags }} ./bom.json:application/json
+        oras discover -o tree ghcr.io/cyclonedx/cdxgen:${{ steps.meta.outputs.tags }}
+      env:
+        CDXGEN_DEBUG_MODE: debug
     - name: Extract metadata (tags, labels) for Docker
       id: meta2
       uses: docker/metadata-action@v4