Publish spdx files with generated images #284
Description
When a user generates a custom image with extensions we should publish an spdx file they can download and import into 3rd party tools for internal compliance and CVE verification.
Currently, if someone wants to verify CVEs from a 3rd party tool they can download the generic SBOM from github (without extensions) or they can read the spdx file from a running Talos system. Reading the spdx file from a running system wouldn't work for a system connected to Omni because of limits on the Talos API.