build(deps): Bump sbomify/github-action from 0.11 to 0.12 in the github-actions group

[dependabot]

Bumps the github-actions group with 1 update: sbomify/github-action.

Updates sbomify/github-action from 0.11 to 0.12

Release notes

Sourced from sbomify/github-action's releases.

The One Where We Got CRA-zy Compliant

New Features

CRA (Cyber Resilience Act) Compliance Support

• Added security_contact field for vulnerability reporting (URL/email)
• Added support_period_end field for security support end date
• Expanded lifecycle event support with release_date and end_of_life fields
• Both CycloneDX and SPDX formats supported

SPDX Product Tagging

• Added product metadata tagging for SPDX SBOMs, bringing parity with CycloneDX

Tool Version Checker

• Added bin/check_tool_versions.py script to check and update bundled tool versions from GitHub releases

Improvements

Better Error Handling

• Added DockerImageNotFoundError for clearer errors when Docker images don't exist
• Improved duplicate SBOM upload handling with graceful error recovery
• Better error messages for duplicate uploads with version hints

Updated Bundled Tools

• Trivy: 0.67.2 → 0.68.2
• Syft: 1.39.0 → 1.40.1

Bug Fixes

• Fixed SPDX schema resolution error during validation
• Fixed SPDX lockfile detection for full paths generated by Trivy
• Fixed Docker tag mismatch in production container SBOM jobs

Commits

• 7906c48 Merge branch 'master' into cut-0.12
• 9977f75 Merge pull request #141 from sbomify/tool-checker
• 0900714 Bump 0.12
• 5550ab7 Remove cdxgen residue from version checker script
• 535d7da Add tool version checker script and update tool versions
• c2aeb90 Merge pull request #140 from sbomify/fix-annotation
• 1bef314 Fix SPDX lockfile detection for full paths generated by Trivy
• 2afdefb Merge pull request #139 from sbomify/spdx-tagging
• caa6e05 Adds product tagging for SPDX sboms
• 05615cb Merge pull request #138 from sbomify/incorrect-docker-image
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions