otel-sig-security - adding SBOM to builds

[bobstrecansky]

#otel-sig-security asked for SBOM to be added to builds. This PR adds it to our php actions. It may be too frequent, but we can ensure we have this for when we do our builds.

[codecov]

Codecov Report

Merging #1136 (d0b2087) into main (42a8b95) will not change coverage.
The diff coverage is n/a.

❗ Current head d0b2087 differs from pull request most recent head 6de09c9. Consider uploading reports for the commit 6de09c9 to get more accurate results

@@            Coverage Diff            @@
##               main    #1136   +/-   ##
=========================================
  Coverage     84.27%   84.27%           
  Complexity     2160     2160           
=========================================
  Files           279      279           
  Lines          6137     6137           
=========================================
  Hits           5172     5172           
  Misses          965      965           

Flag	Coverage Δ
7.4	82.89% <ø> (ø)
8.0	84.20% <ø> (ø)
8.1	84.34% <ø> (ø)
8.2	84.34% <ø> (ø)
8.3	84.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42a8b95...6de09c9. Read the comment docs.

[brettmc]

It ran in 4 seconds and looks to have found some PHP packages, which is a good start. The next question is: how do we surface this? (particularly given we don't do releases in this repo or in contrib)

[brettmc]

@bobstrecansky It looks like this is successfully generating an SBOM, and it claims to be uploading it as an artifact, but I can't see one.