anchore
Expose dependency-snapshot-correlator input
I've been exploring using the anchore/sbom-action but have a scenario that would require exposing this input.
When using the action with a GitHub matrix to generate SBOMs for multiple images for submitting to the GitHub dependency API, the correlator is getting set to ${workflow}_${job}. I can't see a way to make this different between matrix runs so it is set to the same value for both. GitHub docs seem to suggest the following:
If you're using a build matrix, then you'll also need to add additional key(s) to distinguish between each submission inside a matrix variation.
It appears the code already supports an input of dependency-snapshot-correlator: https://github.com/anchore/sbom-action/blob/main/src/github/SyftGithubAction.ts#L449
Is it possible to expose this as an input to the action?
Many apologies for the delay responding here. I believe since there is already a call to core.getInput("dependency-snapshot-correlator"), that input should work but will probably produce a warning. We could add this to the exposed parameters, but if a user is running this action in a matrix build, it is also required to set the artifact-name. Should we just use this for the correlator instead?
