feat: Store SBOM

[prempador]

This Pull Request is the first step to close #175 . The goal is to highlight how SBOMs can be easily created via the CI/CD and can be uploaded. In order to show this, I added a workflow called sbom.yml which generates a set of 2 SBOMs, one for each current format (SPDX, CycloneDX).

Sidenote: I opted to use alpine:latest instead of directly going with the ubuntu runners, as it is more lightweight and has therefore less dependencies. I am still considering if moving away from :latest and doing a proper version pin is better, if we already go the extra mile to use a more lightweight container.

[netlify]

👷 Deploy request for tansu pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	7d466b1

[netlify]

✅ Deploy Preview for staging-tansu canceled.

Name	Link
🔨 Latest commit	7d466b1
🔍 Latest deploy log	https://app.netlify.com/projects/staging-tansu/deploys/6918fe8bf4d88b0008af1733

[tupui]

Cool first step, indeed simple to pull off and paves the way for the rest. With this I can see someone making their SBOMs and then we could add that to the contract like we have for commits.

e.g.

env.storage().persistent().set(&types::ProjectKey::Release(project_key, version), &sbom-cid);

Or might be better to make a struct like

#[contracttype]
#[derive(Clone, Debug, PartialEq)]
pub struct Release {
    pub sbom: String,         // cid
    pub version: String,      // "vx.x.x"
    pub attestation: String,  // cid
    pub cve: Vec<String>,     // something to show if affected by any?
    pub commit: Bytes,        // commit hash to link version to code
    // else?
}

env.storage().persistent().set(&types::ProjectKey::Release(project_key, version), & Release {...});

Happy to get this in to try if this is ready. Maybe we add a workflow_dispatch: so we can test easily.