fix: invoke cyclonedx-npm via npx so SBOM workflow can backfill old tags

[scops]

Summary

Replaces the npm run sbom step in .github/workflows/sbom.yml with a direct npx --yes @cyclonedx/cyclonedx-npm@^4 ... invocation. The local script in package.json stays for developer use.

Why

The workflow runs against an arbitrary tag (the just-published release on release: published, or whatever the operator passes to workflow_dispatch). Tags older than #20 don't have the sbom npm script, so the workflow fails with npm error Missing script: "sbom" (run 25640979470 reproduced this against v2.2.0).

By bringing the tool in via npx, the workflow no longer depends on anything inside the checked-out tag beyond package.json / package-lock.json (used by npm ci for node_modules). It now works for v2.0.0 onward.

Notes

• The workflow YAML lives on main and is read from there for workflow_dispatch, and from the tag itself for release: published. Once this merges, v2.4.0 and beyond will use the fixed file automatically; for release: published against v2.3.0 we already attached the SBOM successfully (the v2.3.0 tag includes the old workflow, which works because v2.3.0 does have the script).
• After merge, backfill the older releases with:

  gh workflow run sbom.yml --ref main -f tag=v2.2.0
  gh workflow run sbom.yml --ref main -f tag=v2.1.0
  gh workflow run sbom.yml --ref main -f tag=v2.0.0
  

Test plan

• CI green on this PR (no runtime change).
• After merge, dispatch the workflow against v2.2.0 and confirm the SBOM is attached. Then repeat for v2.1.0 and v2.0.0.