Verify MSI SBOM attestations

[gontzess]

Why

The registry verifier is being extended to verify SPDX SBOM bundles from release asset attestations. The non-Axiomatic Windows release path already asks GoReleaser for installer SBOMs, but the Windows signing step did not require them and the release validator skipped MSI SBOM verification.

What this changes

• Requires each Windows zip and MSI artifact to have an SPDX SBOM before signing SBOM attestation bundles.
• Fails the Windows release job if no Windows SBOM bundles are produced.
• Verifies MSI detached signatures, provenance attestations, and SBOM attestations in the release artifact validator.

This can land after registry API PR #153; that registry PR intentionally keeps MSI SBOMs optional during the workflow transition.

Validation:

• bash -n scripts/validate-release-artifacts.sh
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yaml")'\n- go test ./cmd/generate-windows-manifest ./cmd/record-release ./cmd/generate-manifest ./cmd/merge-manifests\n- git diff --check