fix: use correct Docker tag format for SBOM and Trivy

Docker tags cannot contain slashes, so metadata-action converts
branch names like 'feature/docker-v2' to 'feature-docker-v2'.
Use steps.meta.outputs.version which has the correct format.

Author: bakerboy448

.github/workflows/docker-build.yml

@@ -33,6 +33,8 @@ jobs:
       contents: read
       packages: write
       id-token: write
+    outputs:
+      image-tag: ${{ steps.meta.outputs.version }}
 
     steps:
       - name: Checkout repository
@@ -87,7 +89,7 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: anchore/sbom-action@v0
         with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
           format: spdx-json
           output-file: sbom.spdx.json
 
@@ -110,7 +112,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image-tag }}
           format: 'sarif'
           output: 'trivy-results.sarif'