fix(ci): disable SBOM attestations on buildx to unblock registry push

Matches woodpeckerci/plugin-docker-buildx defaults. Without --sbom=false
buildkit emits an OCI image index with SBOM attestation that the itsh.dev
registry rejects with 'manifest invalid'. Provenance was already disabled.

.gitlab-ci.yml

@@ -17,7 +17,7 @@ backend:docker:
   before_script:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
   script:
-    - docker buildx build --push --provenance=false -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
+    - docker buildx build --push --provenance=false --sbom=false -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       changes: [backend/**/*]
@@ -59,7 +59,7 @@ web:docker:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
   script:
     - |
-      docker buildx build --push --provenance=false \
+      docker buildx build --push --provenance=false --sbom=false \
         -f web/Dockerfile \
         --build-arg PUBLIC_API_BASE_URL=https://api.marktvogt.de \
         --build-arg PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz \