fix: use actions/upload-artifact for SBOM instead of built-in

The anchore/sbom-action built-in artifact upload doesn't work properly
in reusable workflows. Use explicit actions/upload-artifact instead.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: samuelho-dev

.github/workflows/docker-build-push.yml

@@ -201,10 +201,17 @@ jobs:
           image: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
           format: 'spdx-json'
           output-file: 'sbom.spdx.json'
-          artifact-name: sbom-${{ inputs.image }}
-          upload-artifact: true
+          upload-artifact: false  # Disabled: reusable workflow artifact upload has issues
           upload-release-assets: false
 
+      - name: Upload SBOM as artifact
+        if: inputs.sbom
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ inputs.image }}
+          path: sbom.spdx.json
+          retention-days: 30
+
       - name: Install Cosign
         if: inputs.sign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0