feat: enable SBOM attestation for Docker images

[flobrunner]

Check Existing Issues

• I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

• I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

Problem Description
The published Docker images on ghcr.io/open-webui/open-webui include provenance attestations (automatically generated by docker/build-push-action@v5 by default), but ship with an empty SBOM:

docker buildx imagetools inspect ghcr.io/open-webui/open-webui:latest
--format '{{ json .SBOM }}'
returns: {}

Without an SBOM, users and organizations cannot:

• Audit which packages and dependencies are shipped in the image
• Run automated CVE/vulnerability scans against a known package inventory
• Meet supply chain security requirements (SLSA, NTIA minimum elements, internal compliance policies)

Desired Solution you'd like

Add sbom: true to each docker/build-push-action@v5 step in .github/workflows/docker-build.yaml (affects all 5 image variants: main, cuda, cuda126, ollama, slim):

• name: Build Docker image
  uses: docker/build-push-action@v5
  with:
  ... existing config unchanged ...
  sbom: true

This is a built-in feature of docker/build-push-action@v5 — no additional tooling, dependencies, or workflow restructuring required. The SBOM would be attached as an OCI attestation alongside the existing
provenance and retrievable via:

docker buildx imagetools inspect ghcr.io/open-webui/open-webui:latest
--format '{{ json .SBOM }}'

Alternatives Considered

No response

Additional Context

No response

[tjbck]

Addressed in dev!
febc66e