[Feat] Add automated SBOM generation and publication for GRASS releases

[neteler]

GRASS should publish a Software Bill of Materials (SBOM) as part of its release process so users, distributors, and security tooling can inspect the project’s software composition more easily.

Suggested approach:

• Generate the SBOM automatically in CI for release builds
• Publish it alongside release tarballs and binaries
• Prefer SPDX as the default format for broad compatibility
• Keep the workflow in the repo so the SBOM can be regenerated consistently for each release
• Optionally expose the current repository SBOM through GitHub’s dependency graph export as a secondary, GitHub-native source

This would improve transparency, supply-chain visibility, and downstream compliance for GRASS users and packagers.

Suggested tasks:

• Add a GitHub Actions workflow to generate SBOMs on tags/releases (see e.g. here)
• Choose an SBOM format, preferably SPDX

Acceptance criteria:

• Every official GRASS release includes an SBOM artifact
• The SBOM is generated automatically and reproducibly
• The format and location of the SBOM are documented in the repository