Sign the generated BOMs

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

.github/workflows/image-build.yml

@@ -88,10 +88,11 @@ jobs:
           labels: ${{ steps.cdxgen-metadata.outputs.labels }}
       - name: save private key to file
         run: |
-          echo "$SBOM_SIGN_PRIVATE_KEY_DATA" | base64 -d > $GITHUB_WORKSPACE/private.key
-          ls -lh $GITHUB_WORKSPACE/private.key
+          echo "SBOM_SIGN_PRIVATE_KEY" > $GITHUB_WORKSPACE/private.key.b64
+          echo "SBOM_SIGN_PRIVATE_KEY" | base64 -d > $GITHUB_WORKSPACE/private.key
+          ls -lh $GITHUB_WORKSPACE/private.key $GITHUB_WORKSPACE/private.key.b64
         env:
-          SBOM_SIGN_PRIVATE_KEY_DATA: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
+          SBOM_SIGN_PRIVATE_KEY: ${{ secrets.SBOM_SIGN_PRIVATE_KEY }}
       - name: Attach cdx sbom to base
         run: |
           corepack pnpm install --config.strict-dep-builds=true --package-import-method copy --frozen-lockfile