fix(sbom): add CycloneDX report

    - mkdir -p -m 777 reports

    - npx -y @cyclonedx/cyclonedx-npm${NODE_SBOM_VERSION:+@$NODE_SBOM_VERSION} --output-format JSON --output-file reports/node-sbom.cyclonedx.json $NODE_SBOM_OPTS

    - chmod a+r reports/node-sbom.cyclonedx.json

  rules:

    # exclude if disabled

    - if: '$NODE_SBOM_DISABLED == "true"'

      when: never

    - !reference [.test-policy, rules]

  artifacts:

    name: "SBOM for Node from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    when: always

    expire_in: 1 week

    paths:

      - $NODE_PROJECT_DIR/reports/node-sbom.cyclonedx.json

    reports:

      cyclonedx: 

        - $NODE_PROJECT_DIR/reports/node-sbom.cyclonedx.json

  rules:

    # exclude if disabled

    - if: '$NODE_SBOM_DISABLED == "true"'

      when: never

    - !reference [.test-policy, rules]