What would you like to be added:

I would like to be able to track my github actions workflows as an SBOM, such that if I have a action with uses: actions/checkout@v1.2.3, I get out an SBOM that contains this action, and which actions in turn it contains.

AFAIK, there is no standard today for how to express github actions as an SBOM, but if we resolve each tag to a commit, and then recursively follow each workflow, it should be Doable™.

Why is this needed:
It will let users of full semver tag, as in v1.2.3 as opposed to v1, detect if the tag has moved, as they can diff the generated SBOM against the previous SBOM. It will also let GHA users track which direct and transitive workflows they're pulling in via their GHAs

Additional context: