SBOMs in CI images are missing module digests

[imjasonh]

Also seeing this in #587

$ ci=ghcr.io/google/ko@sha256:8fa68c86562684f946e92086a6a4d1f17ee116fff32e157e68f96dbf948b0783
$ ko deps $ci --sbom=go.version-m
/ko-app/ko: go1.17.7
	path	github.com/google/ko
	mod	github.com/google/ko	(devel)	
	dep	cloud.google.com/go	v0.99.0	
	dep	github.com/Azure/azure-sdk-for-go	v55.8.0+incompatible	
	dep	github.com/Azure/go-autorest/autorest	v0.11.19	

If I build the image locally, the image it produces has module information including sums:

$ local=$(KO_DOCKER_REPO=gcr.io/imjasonh go run ./ build ./ --platform=all)
...
2022/02/11 11:01:22 Published gcr.io/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e@sha256:73d4746ef0423a24b2e36705d5f648f8f6ed8ad2f70a74c43a1d799ea4135936
$ ko deps $local --sbom=go.version-m
/ko-app/ko: go1.17.7
	path	github.com/google/ko
	mod	github.com/google/ko	(devel)	
	dep	cloud.google.com/go	v0.99.0	h1:y/cM2iqGgGi5D5DQZl6D9STN/3dR/Vx5Mp8s752oJTY=
	dep	github.com/Azure/azure-sdk-for-go	v55.8.0+incompatible	h1:EuccMPzxu67cIE95/mrtwQivLv7ETmURi5IUgLNVug8=
	dep	github.com/Azure/go-autorest/autorest	v0.11.19	h1:7/IqD2fEYVha1EPeaiytVKhzmPV223pfkRIQUGOK2IE=
...

[imjasonh]

Also likely related to reproducibility diffs discussed in #593

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.