Hello,

I have integrated anchore/sbom-action into both an action and a reusable workflow that basically provide this flow:

• generate sbom
  • optionally publish to the workflow (if upload-artifact) and to the release (if upload-release-assets)
• sign sbom (shell script)
• publish the signature to the workflow with actions/upload-artifact (if upload-artifact)
• publish the signature to the release with svenstaro/upload-release-action (if upload-release-assets)

      - uses: anchore/sbom-action@v0.11.0
        with:
          image: ${{ inputs.image }}
          artifact-name: ${{ inputs.filename }}
          output-file: ${{ inputs.filename }}
          format: cyclonedx-json
          syft-version: ${{ inputs.syft-version }}
          upload-artifact: ${{ inputs.upload-artifact }}
          upload-release-assets: ${{ inputs.upload-release-assets }}
        env:
          SYFT_QUIET: true

This is working fine but raises a warning because making use of those two input parameters that are not exposed:

Warning: Unexpected input(s) 'upload-artifact', 'upload-release-assets', 
valid inputs are ['path', 'image', 'registry-username', 'registry-password', 'format', 'github-token', 'artifact-name', 'output-file', 'syft-version', 'dependency-snapshot']

I guess that anchore/sbom-action/publish-sbom also accept such "unexpected" input parameters.

WDYT adding those inputs to anchore/sbom-action? Maybe also a quiet or syft-quiet option?