ci: matrix per-crate SBOM attestation in release workflow

actions/attest@v4 sbom-path expects a single file path, not a glob,
so 'sbom/**/*.cdx.json' was treated literally and the attestation
failed with 'SBOM file not found' on the 0.3.8 release.

Convert the attest job to a matrix over [act-cli, act-build]. Each
matrix instance downloads only its own crate's binaries (using a
minimatch extglob negation 'act-!(build-*)' for act-cli to exclude
sibling-crate artifacts) and attests them against an explicit
per-crate SBOM path.

Author: GamePad64

.github/workflows/release.yml

@@ -26,15 +26,22 @@ jobs:
     uses: ./.github/workflows/build-sbom.yml
 
   attest:
-    name: Attest binaries
+    name: Attest ${{ matrix.crate }}
     needs: [build, sbom]
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    strategy:
+      matrix:
+        include:
+          - crate: act-cli
+            artifact-pattern: "act-!(build-*)"
+          - crate: act-build
+            artifact-pattern: "act-build-*"
     steps:
       - uses: actions/download-artifact@v8
         with:
           path: artifacts
-          pattern: "{act,act-build}-*"
+          pattern: ${{ matrix.artifact-pattern }}
           merge-multiple: true
       - uses: actions/download-artifact@v8
         with:
@@ -48,7 +55,7 @@ jobs:
         uses: actions/attest@v4
         with:
           subject-path: "artifacts/*"
-          sbom-path: "sbom/**/*.cdx.json"
+          sbom-path: "sbom/${{ matrix.crate }}/${{ matrix.crate }}.cdx.json"
 
   pypi-publish:
     name: Publish to PyPI