feat(ci): add SBOM file to release artifacts

[addaleax]

Add generation of purls.txt and Silkbomb-generated sbom.json files to our CI/release infrastructure.

Like the corresponding Compass PR, this PR:

• Modifies our crypt_shared-library bundling/downloading step so that we store the version of the crypt_shared library we're bundling
• Generates a list of PURLs and then uses the SilkBomb tool to generate a SBOM file that we can share with DevProd
  (and later turn into its 'augmented' version with vulnerability information)

Unlike the Compass PR, this PR:

• Bundles the generated sbom.json file in existing release artifacts (i.e. .rpm/.deb/.zip/.tgz files)
• Introduces a new CI step, combining the partial PURLs file with the PURL (or, rather, a PURL – we'll probably need to clarify how exactly to specify this) for the crypt_shared library while also downloading it (instead of doing that in the other packaging steps)
• Fixes some existing inaccuracies around crypt_shared library downloading that never surfaced as real issues because we mostly just used the "host" OS/architecture combination for downloading the file (not it always happens on x64 Ubuntu)