ci: Generate SBOM

[jenshenneberg]

This PR

Generates Software Bill of Materials (SBOM) as described in #159. Once https://github.com/NuGet/Home/issues/12497 is implemented, the SBOM file(s) should be embedded in the published nuget packages. Until then, I've added the SBOM as an asset under the release.

Known issue

The SBOM file lists the dependences for all target frameworks combined. Once the above NuGet issue is implemented, it should be changed, so there is one sbom created for each target framework with only the applicable references included.

Related Issues

Fixes #159

How to test

Unfortunately, this is somewhat cumbersome to test, as the logic in question only kicks in upon a release from the main branch. I've tested it myself this way:

• Create new fork of this repo
• Merge this branch to main in the new repo
• Create a release in the new repo

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 94.47%. Comparing base (b23334b) to head (5403659).

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #245 +/- ## ======================================= Coverage 94.47% 94.47% ======================================= Files 27 27 Lines 1104 1104 Branches 119 119 ======================================= Hits 1043 1043 Misses 37 37 Partials 24 24 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[toddbaert]

Wow thanks @jenshenneberg ! I will review this carefully tomorrow.

[jenshenneberg]

Comment addressed (after some GitHub challenges).