ci: replace anchore/sbom-action and attest-sbom with Node.js 24 alternatives

- anchore/sbom-action has no Node.js 24 version; replaced with direct
  syft install + run (same underlying tool, no JS runtime)
- actions/attest-sbom is deprecated; replaced with actions/attest@v4
  using predicate-type https://spdx.dev/Document

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: obezpalko

.github/workflows/docker.yml

@@ -135,20 +135,17 @@ jobs:
           echo "digest=$(crane digest "${primary_tag}")" >> "$GITHUB_OUTPUT"
 
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0.23.1
-        with:
-          path: .
-          output-file: sbom.spdx.json
-          format: spdx-json
-          upload-artifact: false
-          upload-release-assets: false
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+          syft . -o spdx-json=sbom.spdx.json
 
       - name: Attest SBOM
-        uses: actions/attest-sbom@v4
+        uses: actions/attest@v4
         with:
           subject-name: ${{ env.IMAGE }}
           subject-digest: ${{ steps.manifest.outputs.digest }}
-          sbom-path: sbom.spdx.json
+          predicate-type: https://spdx.dev/Document
+          predicate: sbom.spdx.json
 
       - name: Attest build provenance
         uses: actions/attest-build-provenance@v4