Embed SBOM into wheels

[hugovk]

Follow on from #9550, which generates an SBOM and uploads it to a GitHub release.

This PR embeds the SBOM into the .dist-info/sboms/ directory of wheels, following PEP 770.

Things to note:

• The Linux wheels already contain an SBOM, auditwheel.cdx.json, created by auditwheel during the manylinux repair step of cibuildwheel.

  • The manylinux wheels contains only two things: Pillow and libXau, where libXau is what was grafted in from the system by auditwheel. It doesn't contain all the things in our own SBOM.
  • The musllinux wheels also contain libbsd, libmd and libxdmcp (which are deps of libXau on Alpine).

• auditwheel.cdx.json uses CycloneDX 1.4, and varies for each generated wheel.

• Our own SBOM uses CycloneDX 1.7, and is identical for all wheels, and include all our deps, based on our dependencies.json. We don't vary per OS.

To inspect: download a wheel, rename to .zip, look in pillow-12.3.0.dev0.dist-info/sboms/.

---

Should we include our own generated SBOM in the wheel?

Should we keep the auditwheel.cdx.json SBOM?

Multiple SBOMs are allowed in the dir, and they do both describe the distribution, in different ways.

cc @jkowalleck @sethmlarson

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request

[radarhere]

Suggested change

	print(f"error: no wheels found in {args.wheelhouse}", file=sys.stderr)
	raise SystemExit(1)
	parser.error(f"no wheels found in {args.wheelhouse}")