we should add a generation step for CycloneDX / SPDX info.

https://github.com/CycloneDX/cdxgen might work ... but I have to test it :)

more info: https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms

but in short it's to let woodpecker be used in the US in environments that are regulated by https://www.cisa.gov/sbom